1. Introduction to security testing a) Security testing status The application security situation is becoming increasingly severe, new hacker attack methods emerge in an endless stream, and users have higher and higher security requirements for privacy information protection. In today's fierce competition for innovative websites and mobile products, investors and entrepreneurs are more concerned about when products are released and how to take the lead to obtain greater benefits. In order to ensure that the product is released as soon as possible, the labor cost and time cost are reduced as much as possible, so that the important part of security can be solved at the time of being attacked. Therefore, in today's Internet products, a large number of products have serious security risks, which opens up many attackable ways for hackers to easily obtain sensitive information of companies and users, causing network public opinion to have a serious impact on the security reputation of the company's products. The security testing work is precisely a part of solving the important security defense before the product is released. When the security testing work is done well, it can effectively eliminate most of the security loopholes in the product, and provide a strong security guarantee for the corporate reputation and user privacy. b) Introduction to the security testing system How to do a good job in security testing is a knowledge. Different companies, products, and businesses have various functions and scenarios, which need to be in-depth in every link of the development process. In terms of cost control, the lower it is. In simple terms, the security testing system can rely on and intervene in the development process to achieve:
Of course, the security testing work described above needs to follow several principles:
- Finding Problems: Automating Vulnerability Discovery (Tools)
- Problem Solving: Humanizing Bug Fixing (Process)
- Detection capability: let the vulnerabilities be detected as much as possible (coverage)
c) As described in the safety testing system, the safety testing work involves a number of processes and tools. General enterprises and start-up companies cannot ensure safety quality in every link, and there are no professional and safety personnel to control it. . Therefore, the common processing method is:
- Security self-test: Buy or use cracked security software to scan your own products.
- Advantage: low cost
- Disadvantages: the user is not specialized, the effect is not good
- Security outsourcing: Entrust security to a professional security company for penetration testing and security testing.
- Pros: Reliable, Comprehensive
- Disadvantages: high cost, single service
- Public testing mode: release testing tasks, white hats will participate in the evaluation, and feedback vulnerability information.
- Advantages: public beta, many testers, rich means
- Disadvantages: New model, safe outcome depends on participant capability
2. Analysis of common testing methods for security testing Next, we describe some common security testing methods and methods, as well as their advantages and disadvantages, for your reference: a) Black box detection: The usual method is to obtain data (URL, form, Ajax and other related requests) , fuzz it with vulnerability rules and discover vulnerabilities. i. Manual: Test the product with the help of browser plug-ins, packet capture, and fuzzing tools through security experience.
- Common tools: Firefox plugins: Firebug, hackbar, httpfox, Tamper Data, fiddler, SQLMAP, NMAP, etc.
- Pros and cons: More details, but high cost.
ii. Proxy interception: Set the browser to proxy, obtain browsing data, and automatically Fuzzing.
- Common tools: Burp Suite, owasp ZAP, ratproxy, etc.
- Advantages and disadvantages: business process binding, better coverage, manual click on the page, high labor cost
iii. Spider crawler:
- Common tools: WVS, Appscan, etc.
- Advantages and disadvantages: automatic scanning, some commercial products, high fees, difficult to get started, and occupying local machine resources.
b) 白盒检测
白盒安全扫描有多不同,针对不同语言和平台的,相对黑盒扫描会有重要的问题:误报高、漏报高,且不同企业的开发语言、开发规范、开发框架不统一。
i. 正则匹配:基于漏洞特征和编码习惯维护漏洞库,使用正则对代码匹配,误别潜在的安全风险。误报高,且排查确认成本非常高。
ii. 语法树:将代码解析成语法树,通过变量传递等方式,基于风险输入特征、风险输出特征判断漏洞是否存在。这种方式精准度比较高,再结合业务开发构架和规则效果更好。
c) 其他检测手段
i. 白+黑关联
由于黑盒覆盖率不全,白盒误报比较高,会有一种方式是将代码找出来的漏洞,通过将代码映射成真实的URL,再交由黑盒Fuzzing 进行漏洞验证,这种方式的困难在于开发构架是否标准规范。
ii. 字节码注入
使用 Javassist 方式将java字节码的风险函数进行Hook,再利用 Fuzz 的方式实现灰盒检测的目的。
3、 安全测试问题及挑战
综合以上所述,安全测试工作涉及很多工作内容,同时要掌握诸多安全技术、安全工具、代码分析能力,是一项极具挑战的工作。让开发自测、让功能测试兼测都不是一种很放心的方案。
如何在基于人力有限情况,保证产品快速迭代、抢占市场先机同时又保证安全质量,就需要拥有一个免费的、自动化、便捷易用的黑+白盒一体化的安全测试服务。
4、 STS安全测试服务介绍
a) 介绍
皆在打造为用户提供黑盒+白盒自动化、漏洞实时更新、免费、方便快捷的一体化安全测试服务。
b) 功能
- 黑盒安全扫描:阿里巴巴内部多年技术沉淀的云端集群高速安全扫描服务,有效发现常见的安全漏洞,支持最新 0day 漏洞的检测。
- 白盒安全扫描:基于动态编译对代码进行检测,高精准、低误报。
- 广告检测:独立研发的高精准广告检测引擎,有效发现无线应用的广告插件,以及广告行为。
c) 优势
- 可靠:支持应用安全监控,定时对用户产品进行安全检测,发现漏洞后及时通知,防止漏洞被利用。
- 便捷:操作简单,修复帮助清晰可读。
- 快速:云端海量集群,及时反馈检测结果。
- 多维度:支持WEB、无线应用的黑盒、白盒扫描,消灭漏洞于无形。
d) 发展
STS 安全检测服务将为用户提供多维度的安全评估功能,以专家维度评估应用的安全漏洞、潜在应用安全风险。并获取用户需求,及时高效完成用户需求,皆在帮助用户提供方便快捷的安全测试服务。