Understanding of safety testing and penetration testing __ Safety test

Safety testing is different from penetration testing, where penetration testing focuses on several points of penetration, while security testing focuses on modeling security threats, systematically considering the threats from all aspects and levels. A security test can tell you what threats your system might come from, what threats it is under, and what threats your system can withstand. Of course, the safety test covers part of the penetration test. The difference between safety testing and penetration testing is mainly:

Penetration testing is based on the hacker method, from a single point of access to find ways to prove that you have problems, to help customers improve understanding, but also to solve some of the urgent problems, but can not be done to the system to do complete security testing, it is difficult to solve the system itself substantive security problems, So to provide penetration testing of the manufacturers are generally what to buy their own protective equipment, to their own protective equipment against the threat as the main infiltration point, to find you have similar problems, the solution to sell the corresponding protective equipment as a means of specific threats, through protective equipment to take passive protection. And the safety test vendors, then from the overall system architecture, security coding, security testing, security testing coverage, security metrics and other factors to consider the problem, the proposed solution is to gradually help customers to introduce the security development process, provide the corresponding tool support, the goal is to finally let customers improve the business system itself substantive security issues.

The security test will first systematically analyze the system that is being tested, analyze its architecture, software system and program deployment, and so on, and then do the system security analysis of the system, after this will be the system security modeling, identify the system may come from each potential threat, then need to analyze the system, identify the attack interface, Test according to the test scenario.

Security testing focuses only on the vulnerability analysis, but not on how vulnerabilities are actually exploited, with several factors:

Cost factors: For attackers, the benefit of exploiting vulnerabilities is the assets protected by the system, so more cost can be invested to study the exploit, including time, personnel, and means. But for the safety test, the whole benefit is the cost that the customer is willing to invest, the system protects the assets much more than the system development input, the security investment only accounts for about 3% of the system development investment, so from the cost point of view, the security test only focuses on the possibility of evaluating the exploit. Rather than study how vulnerabilities are exploited and displayed to customers.

Perspective factor: Security testing is to help customers reduce security threats, reduce security vulnerabilities. itself is a protection technology, as far as possible to identify security issues and to guide customers to repair security issues is the key, along the path is to identify security issues-> analysis and assessment of security issues-〉 proposed patching recommendations-〉 measure security, rather than in the attacker's perspective to find security issues-〉 Use security issues-〉 access to illicit proceeds What is most valuable to the protection is to find the problem, solve the problem, rather than find the problem, use the problem. Protection concerns whether vulnerabilities can be exploited to determine the security vulnerabilities and the level of repair is enough, the study of more specific attack utilization technology, the operating system level of protection is meaningful, but the development of the common application system and users are worthless.

Assumed factors: Customers face risks not only from the outside, but also from the attacker's penetration through the client host (such as by hanging Ma Geo to an employee's laptop) and possibly from within. Security to protect the overall security, we cannot assume that the attacker's path must be in the same pure external strict protection as the penetration test, nor can it be assumed that the attacker acquired some information through time accumulation social worker or its own characteristic (employee). At the same time, attacks using technology developed to the present, and the specific application of the characteristics of the combination, the attackers at all times may be found in the past we think Low-risk, bad use of the vulnerability of the method. The security test focus, therefore, is the security of the business system after all external defenses have been lost, focusing on high coverage security testing and security metrics, rather than a single penetration test.