Recently, I have been asked the following question during the final trial of a software product in my company, how much security is taken into account for our software products? How should I comment on how secure a software is?
This software involves important commercial information of the customer. Therefore, the core issues that users care about are always "is this Software Secure ". A security vulnerability caused by design and a security vulnerability caused by implementation have a huge impact on users. My task is to ensure that the software meets the customer's expectations in terms of security.
1. What is software security testing
(1) What is software security?
Software security is an important sub-field in the software field. In the old era of standalone, the main security problem is that the operating system is vulnerable to viruses, and the security problem of standalone application software is not prominent. However, since the popularity of the Internet, software security issues have become increasingly prominent, increasing the importance of software security testing to an unprecedented level.
Software Security is generally divided into two levels: application-level security and operating-level security. Application-level security, including questions about data or business functions. With the expected security, the operator can only ask specific functions and limited data of the application. Operating System-level security is to ensure that only users who have the permission to seek questions on the system platform can seek questions, including logon to the system or remote logon questions.
The software security mentioned in this article is mainly the application layer security, which includes two layers: ① the security of the application itself. Generally, application security problems are mainly caused by software vulnerabilities, which can be design defects, programming problems, or even backdoors reserved by developers. ② Is the data security of applications, including data storage security and data transmission security.
(2) Software Security Testing
Generally, the Security Testing of software with low security requirements can be mixed in the unit testing, integration testing, and system testing. However, for software with high security requirements, special security testing must be performed to prevent and identify software security issues before they are damaged.
Securitytesting refers to the process of verifying the security level of the application and identifying potential security defects. The main purpose of the application-level security testing is to find the security risks in the software's own program design and check the application's defense against illegal intrusion, the trial policies vary according to different security indicators. Note: The Security Token test does not finally prove that the application is secure, but is used to verify the effectiveness of the policies set up. These measures are selected based on what is done in the threat analysis phase. For example, the test application is used to prevent unauthorized internal or external users from asking questions or damages.
Ii. Software Security Testing Process
(1) Security Token Test Method
There are many security testing methods that can be used for security testing. Currently, the main security testing methods include:
① Static code security testing: This module performs a security scan on the source code and matches the data flow, control flow, semantics, and other information in the program with its own software security rule repository, find potential security vulnerabilities in the code. Static source code security testing is a very practical method. It can identify all codes that may have security risks in the coding phase, so that developers can solve potential security problems in the early stage. Because of this, static code comparison testing is more suitable for early code development stages than testing.
② Dynamic penetration testing: penetration testing is also a frequently used security testing method. It simulates hacker input using active tools or manual methods, and uses the system to conduct an attack test to find out the security vulnerabilities at the execution time. Such a trial is true and effective, and the problems found are generally correct and serious. However, penetration testing has a fatal drawback: The simulated trial data can only reach a limited pilot, and the coverage rate is very low.
③ Program data scanning. A software with high security requirements cannot be damaged during execution, otherwise it will lead to attacks of buffer overflow type. Data scanning is generally used for memory failover. Many vulnerabilities, such as buffer overflow, can be found during memory failover. However, these vulnerabilities are hard to be detected by other failover methods. For example, if you want to scan the memory information during software execution to see if there is any information that may cause potential risks, you must use a dedicated tool to verify the information. Manual execution is more difficult than manual execution.
(2) reverse security review
Most software security testing is based on the reverse design principle of the defect space, that is, to check in advance where there may be security risks, and then conduct testing on these potential risks. Therefore, the reverse detection test starts from the defect space, establishes a defect threat model, finds intrusion points through the threat model, and scans known vulnerabilities for the intrusion points. The advantage is that it can analyze known defects to avoid known types of defects in the software, but it is generally powerless to attack unknown methods and methods.
① Establish a defect threat model. The establishment of a defect threat model starts with known security vulnerabilities and checks the software for known vulnerabilities. When establishing a threat model, you must first determine the professional fields involved in the software, and then perform Modeling Based on the attack methods encountered in various professional fields.
② Search for and scan intrusion points. Check which defects in the threat model may occur in this software, and then include the possible threats into the intrusion point matrix for management. If a mature vulnerability scan tool is available, you can use the vulnerability scan tool to scan the vulnerability, and then add the detected suspicious issues to the intrusion point matrix for management.
③ Test the intrusion matrix verification. After creating the intrusion matrix, you can design the corresponding samples for detailed entries in the intrusion matrix, and then perform the samples test.
(3) positive security testing process
In order to avoid the integrity of the test results brought about by the reverse design principle, a positive test method is required to test the software, the software used by the hacker can prevent unknown attack methods and methods.
① Identify the trial space first. Identify all the variable data in the trial space, because the cost of security testing is high, and the external input layer should be marked. For example, in the requirement analysis, outline design, specific design, and coding stages, the trial space should be identified and a tracking matrix of the trial space should be established.
② Precisely define the design space. Focus on reviewing whether there is a clear definition of the design space in the demand, and whether the data involved in the requirement identifies its legal value range. In this step, the most important thing to note is the accuracy of the word, in strict accordance with the security principles to make a precise definition of the design space.
③ Identify security risks. Based on the identified trial space and design space as well as the conversion rules between them, it identifies which trial space and conversion rules may have security risks. For example, the more complex the trial space is, the more complex the trial space is divided or the more variable data combinations, the more insecure the trial space is. The more complicated the conversion rules are, the more likely the problems are. These are security risks.
④ Establish and verify the intrusion matrix. After the security risk identification is complete, an intrusion matrix can be created based on the identified security risks. Lists potential security risks, identifies variable data with potential security risks, and identifies the level of security risks. For variable data with a high level of security risks, a detailed samples trial must be designed.
(4) Difference between forward and reverse retries
The forward trial is based on the trial space to find defects and vulnerabilities, while the reverse trial is based on the known defect space to find whether the same defects and vulnerabilities will occur in the software, both have their own advantages and disadvantages. One of the basic advantages of the reverse trial is that the cost is low. You only need to verify the known possible defects. However, the disadvantage is that the trial is incomplete and the test space cannot be fully covered, unknown attack methods cannot be found. The advantage of the positive testing process is that the testing is better than the testing, but the workload is relatively large. Therefore, for software with low security requirements, it is generally possible to perform a reverse failover test. For software with high security requirements, the main positive failover process should be adopted, the reverse trial process is supplemented.
Iii. common software security defects and vulnerabilities
Software security involves many aspects. The basic security problems are caused by software vulnerabilities. The following describes common software security defects and vulnerabilities.
(1) Buffer Overflow
Buffer overflow has become the top public enemy of software security, and many actual security problems are related to it. There are two possible causes for the buffer overflow problem. ① Verification of the conversion rules of the design space. That is, the lack of verifiable data, resulting in illegal data not being checked and discarded at the external input layer. When illegal data enters the interface layer and implementation layer, it is out of the corresponding test space or design space of the interface layer and Implementation Layer, leading to overflow. ② The local trial space and design space are insufficient. When valid data enters, the program processing overflow may occur due to insufficient testing space or design space in the Program Implementation Layer.
(2) encryption Vulnerabilities
These encryption vulnerabilities are insecure: ① insecure encryption algorithms are used. The encryption algorithm is not powerful enough. Some encryption algorithms can even be cracked by brute force. ② When data is encrypted, the password is generated by the pseudo-random algorithm, and the method for generating the pseudo-random number has a defect, which makes the password very easy to crack. ③ The identity authentication algorithm has defects. ④ The clock between the client and the server is not synchronized, giving the attacker enough time to crack the password or change the data. ⑤ Encryption data is not signed, which allows attackers to tamper with the data. Therefore, when performing a Token Test on encryption, you must perform a Token Test on these possible encryption vulnerabilities.
(3) handle errors
Under normal circumstances, some information will be returned to the user for error handling, and the returned error information may be exploited by malicious users for attack, malicious users can analyze the returned error information to know what to do next to make the attack successful. If some functions are called during error handling, the error handling process will be exploited. Error handling is a problem in the exception space. handling in the exception space should be as simple as possible. This principle can be used to avoid this problem. However, error handling often involves usability issues. If the error handling prompt information is too simple, the user may be confused and do not know how to proceed. Therefore, when considering the security of error handling, it is necessary to weigh against ease of use.
(4) Excessive Permissions
If excessive permissions are granted, malicious users with only common user permissions may take advantage of excessive permissions to perform security-threatening operations. For example, if no limit is imposed on the content that can be operated, the user may be able to seek out other resources beyond the specified range. During the Security Token test, you must test whether the application has used excessive permissions. Analyze the permissions that should be available in various situations and check whether the permissions are actually beyond the given permissions. Excessive permissions is essentially a problem of excessive design space. Therefore, you must control the design space during design to avoid excessive permissions caused by excessive design space.
4. Recommended Security retries
Many software security testing experiences tell us that the necessary conditions for a software security testing are: first, fully understanding software security vulnerabilities, and second, evaluating security risks, third, we have efficient software security testing technologies and tools.
(1) fully understand Software Security Vulnerabilities
To assess the security of a software system, you must start from the design, implementation, and deployment phases at the same time. Let's take a look at how commoncriteria evaluates software system security. First, determine the protectionprofile (PP) of the software product ). A pp defines a Security Feature Template for a type of software products. For example, database PP and firewall pp. Then, according to PP, detailed security functional requirements are proposed, such as the implementation of user identity authentication. Finally, determine the security target and how to meet the security functional requirements. Therefore, no problem can be found in any of the three phases of a security software.
(2) Security Token Test Evaluation
After security testing, can the software reach the expected level of security? This is the most important issue for security testers. Therefore, we need to establish a security assessment mechanism after the trial. The following two aspects are generally evaluated. ① Security defect data evaluation.
It is assumed that the more security defects and vulnerabilities the software has, the more defects may be left over. Baseline data must be set up as a license for such an assessment; otherwise, the assessment may fail to reach a correct conclusion. ② Embedding vulnerabilities is used for evaluation. The vulnerability implantation method is the same as the fault insertion test in the reliability test. It is just that some security risks are inserted in the software. When using the vulnerability implantation method, a certain number of vulnerabilities are pre-embedded in the software by a specific person who does not participate in the security token test. Finally, the number of implanted vulnerabilities is discovered after the vulnerability test, this is used to assess whether the software security testing is sufficient.
(3) using security testing technologies and tools
You can use professional security scanning software with specific functions to find potential vulnerabilities and include existing defects into the defect library, then, you can use your own active defect library to conduct the bombing crash test by using your own active crash test method. For example, you can use software that can simulate various attacks to perform a crash test.
The Security Token test is used to verify whether the protection mechanism integrated in the software can protect the system from illegal intrusion in practice. To put it bluntly, the security of a software system must certainly be able to withstand positive attacks-but it must also be able to withstand attacks on and on the back.