Shulou(Shulou.com)06/01 Report--

First of all, for the problems raised by everyone, the website is becoming more and more difficult to penetrate, indicating that today's security technology and the technical maturity of the website structure are becoming more and more sound. Secondly, the security requirements of a certain actual technical aspect have been reduced, which can not indicate the downturn of the penetration testing industry as a whole. on the one hand, security includes not only technical security (including web system vulnerabilities), but also management method security, physical security, industrial production automatic control system security, and so on. The management method is also a dynamic whole process, therefore, on the whole, the system loophole is inevitable, and the security requirements will not be terminated. Thirdly, for the specific steps of penetration testing, we can take into account a large number of breakthroughs in social engineering and management methods, along with the development and improvement of technology. the way of penetration testing should also show the intersection in line with it.

On the whole, the security problem will be a permanent problem encountered by an organization, and it will show a certain degree of intersection, and penetration testing is not only limited to traditional scanning, intrusion testing, vulnerability testing and other methods, but also should be flexibly used to organize and coordinate. Shortcomings at the personal level. Why can't special tools downloaded for free on the Internet scan out security problems? Because you can download it for free and others can download it for free. As long as there is a person in the company's security unit who knows how to use this special tool, he can find out this problem by himself, and there is no need for you to do it. Ten years ago, the security of many companies was so poor that they did not even have a network security unit, so download a special tool to scan it and find many problems. Now, on the one hand, the security work ability of the company itself has been improved, on the other hand, the security work ability of website developers has also been improved. So if you always scan with a special tool from ten years ago, it will certainly feel very difficult today.

As everyone knows, twenty years ago, looking for a special tool to scan can also find a lot of remote access weak passwords, remote control spillover system vulnerabilities. So 20 years ago, were these penetration testers also frustrated when they found that the loopholes in the system that could be swept out immediately could take rootshell slowly faded away? That's not true. They just started working on injection, on XSS, on CSRF, on deserialization. That's why they wrote these special tools that you now download for free from the Internet. The same goes for binary security. The system vulnerabilities of twenty years ago are extremely easy to discover and use. Over the past two decades, system vulnerabilities have become more and more difficult to detect and use. But has the technical position of binary security faded? Not only none, but also the development trend is very good. For people born in ordinary families, it is a good thing to have difficulty and threshold in their work. If a job is not too difficult, it usually doesn't make money. If it's not too hard and you can make money, why do people do it for you? Can't you find your cousin and brother-in-law to do it?

Because everyone has just begun to attach great importance to security, the system software will become more and more secure. Assets should not be exposed on the Internet, will do Internet key management, only for permission browsing. even if? System vulnerabilities, access can not be accessed, how to do? There are more and more data encryption in the whole process of transmission. Every request of okhttp has a sign signature, which involves coming to cryptography. Code confusion + shell, the use of source code is very difficult to restore, that can not reach the login password reverse vulnerability this step. Today's waf, with so many intrusion testing goods, adding two security products in the middle, it is even more difficult to get. You can set up a station to do app, have passed the waf level before talking. Hundreds of people develop and design security products, waf is equivalent to you and dozens of resistance warriors in a duel, wish you all on the penetration test road courageously forward, such as the website or APP to do penetration testing and vulnerability testing friends suggest that we choose professional website security companies to test, such as SINESAFE, Eagle Shield Security, Green Alliance, these are relatively good security companies.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.