Security testing started from unpopular topics. With the frequent attacks on major domestic websites, important community user information was leaked, and all parties gradually paid attention. And how to do software security testing specifically to prevent hackers from taking advantage of it, and the country is generally in a state of just getting started. Today, based on my own experience, the author systematically summarized the security testing that I know and mastered. I hope that I will be able to introduce more and better software security testing techniques and experience to be shared, for everyone to communicate and learn, and let our security testing take a step forward. Play a certain role in promoting.
Software security testing
Software security testing
Security test (Security test) It refers to: the test of the program’s danger prevention and dangerous treatment in the test software system to verify whether it is effective.
Specific testing methods for software safety
Software security testing includes application security, data, operating system and other aspects. According to different safety test indicators, there are different test strategies. Finally, from the perspective of social engineering, the reasons for the emergence of non-software security are summarized. The following summarizes the specific safety test items and corresponding test methods.
One, application security
Application security testing includes five aspects: security auditing, password support, identification and authentication, user data protection, and security management. The following specifically describes the test items and specific test methods that need to be done in each aspect.
A security audit
1. Automatic response to security audit
① Unconventional addition or modification of the security attributes of system users, such as assigning administrator roles or all rights operations to all users. Only one super management role can exist in the system.
②Check whether the system has alarm prompts and record relevant operation information, that is, there should be relevant records in the log.
2. Security audit data generation
The system needs to provide a log mechanism, and be able to record security-related events, and can define audit levels (such as alarm, emergency, and prompt levels).
3. User identity association
Check the relevant log records. When the audit data is generated, whether the audit data can associate each auditable event with the identity of the user who caused the event.
4. Audit review
①Whether the audit data can be viewed in the log related interface.
②Whether the system can provide some functions for easy viewing, such as selecting “All”, viewing by audit record information involving users, or viewing by time, etc.
5. Restrict audit access
① Use the log administrator account to log in to the system to view system audit information;
②Log in to the system in sequence using a non-log administrator account, and you cannot view the system audit module information.
6. Optional audit review
① Whether the test system provides the function of viewing audit records by classification;
②Test whether the system provides a sorting function to facilitate viewing of audit records;
③Test whether the system provides “and”/”or” query functions to facilitate viewing of audit records, and whether to directly fuzzy query.
7. Security audit event selection
① Set exclusion conditions for centralized audit events;
② Simulate the occurrence of a centralized audit event and observe the reaction of the system.
8. Protected audit record storage
Log in to the system with the user identity divided by the system (without audit delete permission): try to delete the audit record to see if it is successful.
9. Prevent loss of audit data
Simulate the situation that the audit data is full, and check whether the system can choose one of the processing methods of “ignore auditable events, prevent all auditable events except authorized users with special privileges, and overwrite the earliest stored audit records” to ensure No loss of audit data occurs.
B password support
Password calculation, check whether the encryption rules of the password are safe and reliable, generally md5 encryption method is generally used.
C marking and identification
1. User attribute definition
Check the user authorization role management mechanism to verify the validity of user attribute definitions. That is, the system can effectively define the security attributes of each user.
2. Identification method
The identity authentication method adopted by the detection system.
3. User ID
①In the user login interface, use an anonymous user to log in to the system, perform operations that require access permissions, and view the system’s response;
②Log in with users in various roles, and then perform operations;
③Do not log in, and perform access operations through anonymous users.
4. User-subject binding
Check whether the user’s security attributes are associated with the main body acting on behalf of the user. It should be linked to the active subject, that is, different users have different permissions.
5. Password strength
① Detect password complexity and strength;
②Various combinations of uppercase and lowercase English letters, numbers, and special characters are used for verification.
6. Password protection
Check whether the password is encrypted to transmit characters. That is, the password cannot be transmitted in plain text.
7. User authentication before any action
Check whether the system performs authorization authentication before the user performs the operation. That is, to operate the system, you must use the correct user name and password.
8. Re-identification
Check whether the system provides a re-authentication mechanism, and whether the system requires a re-login after a long period of time without any response or authentication failure.
D User data protection
1. Use encryption technology
Check whether the system adopts security encryption technology for the transmitted information.
2. Information storage security
Whether to use encryption for important data storage.
3. Data transmission security
Check whether the system performs encrypted transmission of important data.
4. Data consistency
①Check whether the system checks the validity of the data and the logical relationship between the data items;
②Check whether the system guarantees the integrity and consistency of the data, and whether it will be destroyed or left junk data due to deletion or repeated updates;
③For input data that does not meet the requirements, whether the system uses Chinese to give concise and accurate prompt information.
5. Password setting
①Whether password authentication is required to enter the system;
②Whether there is a password setting strategy, whether it includes validity period, minimum length, complexity, non-empty setting, case sensitivity, etc.;
③Whether all passwords are displayed, stored and transmitted in clear code.
6. Backup and restore
Check whether data backup and recovery means are provided, and whether to provide data backup and recovery means.
E safety management
1. Security attribute management
① Check whether the system has a specific role with user authority assignment authority;
②Role assignment to any user in the user list;
③Use a specific role user who does not have user management authority assignment to enter the system to see if the user authority can be divided.
2. Safe security attributes
①Enter the new user interface and create a new user;
②Enter other required items without entering a password;
③Enter the pure digital user login password;
④Enter the user login password in plain characters;
⑤Enter the user login password with a mixture of numbers and characters.
3. Initialization of static properties
① Add a new user and modify the authority of its initial state;
② Use the newly added user to log in to the platform to check whether the editing authority can be realized in the system.
4. Data management
①The user with the highest authority enters the system to check whether it has a security audit function module;
②The user with the highest authority enters the system and modifies the role.
5. Management of data limits
①The user with the highest authority enters the system and adds users;
②Fill in relevant user information and restrict the login area;
③Use the newly created user to log in to the system, but the logged-in user IP is not within the control range of the area filled in.
6. Secure data
①The user with the highest authority enters the system and adds users;
②Fill in relevant user information, enter invalid user data, and observe the system’s response.
7. Withdraw
①The user with the highest authority enters the system, selects a user, and checks and revokes the authority of the selected user;
