Shulou(Shulou.com)06/01 Report--

Software security is a broad and complex topic, and every new software may have a new type of security defect that completely does not conform to all known patterns. It is impractical to avoid all possible types of attacks due to security vulnerabilities. In software security testing, it is very important to use a set of good principles to avoid the listing of insecure software and to avoid attacks on insecure software.

I. basic concepts of software security testing

Software security testing includes program, network and database security testing. The testing strategy is also different according to the system security index.

1. Issues to consider in user program security testing include:

① clearly distinguishes different user permissions in the system.

Will there be user conflicts in the ② system

Will the ③ system cause confusion due to the change of users' permissions?

Whether the login password of ④ user is visible and replicable

Whether ⑤ can log in to the system through absolute means (copy the link after the user logs in and enter the system directly)

Whether ⑥ users have deleted all authentication marks after launching the system, and whether they can use the back key to enter the system without entering a password.

two。 The issues to be considered in the network security testing of the system include:

① tests whether the protective measures taken are properly assembled and whether the patches related to the system are on.

② simulates unauthorized attacks to see if the protection system is robust

③ uses mature network vulnerability checking tools to check system-related vulnerabilities

④ uses various Trojan horse inspection tools to check the Trojan horse of the system.

⑤ uses a variety of anti-plug tools to check the customer plug-in vulnerabilities of each group of programs in the system.

3. Database security considerations:

Whether the ① system data is confidential (for example, for the banking system, this is particularly important, the general website is not too demanding)

Data Integrity of ② system

Data manageability of ③ system

Independence of data in ④ system

⑤ system data can be backed up and restored (whether the data backup is complete, can be restored, whether the recovery can be complete).

Over the years, many people have listed the best penetration testing and cyber security assessment tools, but I want to list the best testing tools by category in a different way. Needless to say, the following 10 categories are divided according to the survey, which basically reflects the current situation of the use of security testing tools:

What are the most popular software testing tools?

1. Overall, the application of (static) code analysis tools and (dynamic) penetration testing tools is still relatively common, more than 60%, and penetration testing tools (73.68%) have a slight advantage, 10% higher. Fuzzy testing tool may feel strange to you, as low as 16%, but it can still play a role in safety and reliability testing. In theory, the code analysis tool should be able to reach more than 95%, because it is easy to use, and security is already the red line of many companies, so it gets enough attention. It is hoped that in the future, various companies can strengthen the application of code analysis tools and fuzzy testing tools.

2. The top three Java code security analysis tools are IBM AppScan Source Edition (42.11%), Fotify Static Code Analyzer (36.84%) and Findbugs (26.32%).

3. The top three places of code security analysis tool are C++Test (38.89%), IBM AppScan Source Edition (38.89%), Fotify Static Code Analyzer (27.78%) and Visual Studio (27.78%). Maybe LDRA Testbed is more expensive, and most of the key embedded software is used, so it is not in the top three.

4. Google's Closure Compiler is the most widely used JavaScript code security analysis tool, followed by JSHint, and some companies use Coverity for JS code analysis.

5. Pychecker is the most widely used Python code security analysis tool, followed by PyCharm, while Pylint is rarely used, and several companies use Coverity for Python code analysis.

6. Among the commercial tools for Web application security testing, IBM AppScan has emerged as a new force, up to 70% of the market, and other commercial tools cannot compete with it. The gap between the second SoapUI and it is more than 50%, and the HP webInspect is less than 10%.

7. Among the open source tools for Web application security testing, Firebug has a clear lead, nearly 50%, 12% higher than the second OWASP ZAP, and the third place is Firefox Web Developer Tools, which is more than 20%.

Among the security testing tools of 8.Android App, Android Tamer leads by nearly 30%, which is about 15% higher than the 2nd and 3rd AndroBugs, Mobisec and Santoku.

9. Wireshark is by far the leader in network status monitoring and analysis tools, with more than 70%. Followed by Tcpdump, Burp Suite, accounting for about 30%. There are many tools for network status monitoring and analysis, but from this survey, we can see that they are more and more concentrated in several tools, especially Wireshark has strong functions and covers many protocols, so it is very popular.

10.SQL injection testing tools ranked in the top three: SQLInjector, SQL Power Injector, OWASP SQLiX, the three are relatively close, the gap is about 6%. The other two tools, Pangolin and SQLSqueal, also account for 10%.

Summary:

These tools liberate security testers from manual audits. They also make the audit process faster and more efficient. Performing a robust security test evaluation does not mean simply selecting a tool from the list. Instead, it means evaluating the results of the organization, as well as evaluating the information, requirements, and stakeholders involved. This process will help build an ideal strategy, including the use of tools to effectively and efficiently identify and resolve security vulnerabilities.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.