Author: JD Logistics Chen Wei
I. Introduction
GJMyers proposed in "The Art of Software Testing": From a psychological point of view, testing is a process of running a program to find errors.
Then security testing is a process of finding potential security problems in the system. Through testing methods, we can find possible security problems and risks in the system, analyze and optimize them, and ensure the security quality of the system.
From the perspective of application security, a series of security testing work is carried out, including but not limited to: security pre-scanning, security penetration testing, data security, SDL process introduction, etc.
In this article, we will focus on the improvement of system security quality as the goal, and describe the practice and development process of security pre-scanning .
I hope this article will help you understand security testing more deeply and thoroughly, and be able to quickly carry out security testing.
2. Pre-safety practice
1. Work order analysis - clarify the source
Before scanning, the existing ticket vulnerabilities are analyzed first.
(1) Vulnerability source analysis
Vulnerability distribution:
Open source components - version issues, code scanning, these two categories accounted for 91%;
These two types are mainly scanning initiated by the platform automatically calling the code scanning interface of the Ministry of Security when compiling ;
According to the rules , the Security Department forms a vulnerability work order and issues it for research and development .
White box vulnerability distribution:
Detection branch: master branch, uat branch, test branch, etc.
That is: all branches deployed on jdos will be scanned, and the scanned problems are the sources of work orders.
JSRC class analysis:
Questions submitted by external white hats on JSRC: https://security.jd.com, and relevant departments will then issue a work order.
(2) Form preventive measures
Based on the above analysis, the specific measures carried out are as follows:
1. Carry out pre-scanning. Before Xingyun deploys and compiles, it actively initiates a security pre-scan to avoid missing it online. In addition, the code security scanning rules are unified to avoid code scanning vulnerabilities in internally scanned codes.
2. Safety and quality card control . R&D testing implements code security scanning . Security scanning is a necessary part of going online, triggering automatic scanning, and compiling can only be carried out after leaking problems are fixed.
3. Conduct penetration testing. Carry out penetration testing for extranet systems and intranet sensitive systems that have already been launched, and manage new requirements through the security R&D life cycle of SDL.
4. Pre-scan - solve stock
Through white-box scanning of application codes and black-box scanning of application domain names, pre-identify problems, prevent defects, and reduce vulnerabilities. And improve the efficiency of tools during the scanning process, further improving the scope of pre-identification prevention.
(1) Code white box scanning
① Master branch scanning based on pipeline source code security audit atom
When the department starts scanning, the pipeline method is used, and the pipeline method is given priority to realize continuous integrated scanning. The main steps of the pipeline are:
Scan branch: master branch
Trigger conditions: code submission trigger, timing trigger
Email notification: send the scan report link by email
Issue follow-up: manual review of reports - classification and sorting of vulnerabilities - sending tasks to R&D
Summarize:
It can effectively cover the scan of the master branch, but the problems are:
The coverage branch is limited, resulting in the omission of non-master branch vulnerabilities;
If you need to add a new coverage branch, you need to build a new pipeline, and the time consumption remains unchanged;
Manual problem sorting is inefficient and error-prone.
② Preventive scanning of active branches
Deploy the compilation branch on the platform. In addition to master, other compilation branches will also generate vulnerability tickets.
Only scanning the master branch cannot completely prevent white-box vulnerabilities.
Therefore: grab the active branch - submit the active branch code scan - form a full branch scan coverage
Identify active branches:
Security code scanning platform:
Active branch scan results.
Summarize:
Based on the above, the scan coverage of the master branch + active branch is realized, complete coverage, and the white box vulnerability problem can be fully pre-identified.
(2) Application black box scanning
Step1 : Obtain the domain name based on the black box scan of the domain name and resolve IP.
Step2: White-box vulnerability scanning execution:
To organize vulnerability scan results:
(3) Development of efficiency improvement tools
Problem : white box & black box scanning, including the implementation steps of [submitting tasks-obtaining results-vulnerability sorting-problem delivery]. During the process, purely manual operation: time
The time is long, the questions are collected and organized, and it is easy to miss & make mistakes. The coverage rate of white box scanning is low, and the missed problems form work orders.
Solution : Realize batch submission of tasks based on open interface - obtain results - report sorting tool
Benefits :
Efficiency improvement: 4 hours of labor -> 1 hour, 75% efficiency increase
Coverage rate improvement: master branch -> active branch in the past two weeks + master branch, scan coverage rate is 100%, find more problems and avoid omissions.
1. Bug fixes - closed-loop tracking
After completing the white-box and black-box scanning, the detected vulnerabilities should be pushed to R&D for resolution, and the closed-loop tracking and verification of the vulnerabilities should be completed.
(1) Defect tracking and processing based on Xingyun
• Scan for security vulnerabilities based on the code base corresponding to the application;
• A code library is scanned to generate a report at a time, which shows all the security problems currently existing in the engineering code;
• The result of each scan will record a problem on Xingyun, and feed it back to the R&D contact person, who will assign it to specific R&D;
Summarize:
•Based on Xingyun defect entry management, the entry process is time-consuming and labor-intensive, and automatic entry is not realized;
• The process is imprecise;
(2) Issue based on the task batch management platform
• After the scan is completed -> sort out the problems -> issue tasks in batches through the OE contact person (or OE interface);
• Research and development of repair solutions;
(3) Safety process construction
•We will test the contact person and R&D contact person every week, and organize a meeting to review the security work order and vulnerability issues of this week;
• Normalized execution of black-and-white combined scans on Tuesday and Thursday launch days, and sending emails of security test reports;
• Weekly security test weekly report; monthly security test monthly report;
•Establish the awareness of R&D security self-test, and use the platform to conduct self-test before deploying and compiling in the cloud;
1. Analysis of Vulnerabilities
(1) Scanning Principle - Stain Analysis
Using taint analysis to detect program vulnerabilities works as shown in the following diagram:
• Taint analysis based on data flow:
Without considering the implicit information flow, taint analysis can be regarded as data flow analysis for tainted data. According to the taint propagation rules, track the taint information or variable pollution on the marking path, and then check whether the taint information affects sensitive operations.
•Dependency-based taint analysis:
Considering the implicit information flow, during the analysis process, according to the dependencies between statements or instructions in the program, check whether the sensitive operation at the Sink point depends on the operation of receiving tainted information at the Source point.
Reference:
https://firmianay.gitbooks.io/ctf-all-in-one/content/doc/5.5_taint_analysis.html#%E5%9F%BA%E6%9C%AC%E5%8E%9F%E7 %90%86
3. Summary
In this article, we describe the security quality improvement process of experience assurance. Focus on the scanning process of black box and white box.
Firstly, the vulnerability work order was analyzed, the source, type and distribution of the vulnerability were determined, and the current situation of the vulnerability was found out.
Then through security pre-scanning, pre-identify the white box and black box problems in the work order. During the process, the development tools were used to improve efficiency, and finally a set of feasible pre-development plans was formed.
But it should be noted that in addition to solving the problem of existing vulnerabilities, new types of problems need to be added, continuous construction is required, and normal operation of security testing needs to be realized. And use more automated tools to improve efficiency.