Suggestions for conducting software security testing
Many software security testing experiences have taught us that the necessary conditions for doing a good job in software security testing are: first, fully understanding software security vulnerabilities; second, evaluating security risks; and third, having efficient software security testing techniques and tools.
(1) Fully understand software security vulnerabilities
To evaluate the security level of a software system, it is necessary to start from three aspects simultaneously: design, implementation, and deployment. Let's first take a look at how Common Criteria evaluates software system security. Firstly, determine the Protection Profile (PP) corresponding to the software product. A PP defines a security feature template for a type of software product. For example, PP for databases, PP for firewalls, etc. Then, based on PP, specific security function requirements are proposed, such as the implementation of user identity authentication. Finally, determine the security object and how it meets the corresponding security function requirements. Therefore, none of the three steps of a secure software can go wrong.
(2) Evaluation of security testing
Can the software achieve the expected level of security after completing security testing? This is the most concerning issue for security testers, so it is necessary to establish a security evaluation mechanism after testing. Generally, evaluations are conducted from the following two aspects. Assessment of security defect data. If more security vulnerabilities and vulnerabilities are discovered in software, there may be more remaining defects. When conducting such evaluations, it is necessary to establish baseline data as a reference, otherwise without a basis for evaluation, correct conclusions cannot be obtained. Use vulnerability implantation method for evaluation. The vulnerability injection method and the fault insertion test in reliability testing are the same principle, but here we are inserting some security risks into the software. When using the vulnerability implantation method, specific personnel who do not participate in security testing should first implant a certain number of vulnerabilities into the software in advance. Finally, after testing, it is necessary to see how many implanted vulnerabilities have been discovered, in order to evaluate whether the security testing of the software is sufficient.
(3) Using security testing techniques and tools
Professional security scanning software with specific functions can be used to identify potential vulnerabilities, incorporate existing defects into the defect library, and then use automated testing methods to bomb test the automated defect library. For example, using software that can simulate various attacks for testing.
Security testing is used to verify whether the protection mechanisms integrated into the software can actually protect the system from illegal intrusion. In simple terms, the security of a software system must certainly be able to withstand frontal attacks - but it must also be able to withstand both side and back attacks.