1. Definition
Security testing is the process of inspecting the product to verify that the product meets the definition of security requirements and product quality standards during the life cycle of IT software products, especially from the basic completion of product development to the release stage.
2. Purpose
Improve the security quality of IT products;
try to find and repair security problems before release to reduce costs;
measure security.
Verify whether the protection mechanism installed in the system can protect the system in practical application, so that it will not be invaded illegally or interfered by various factors.
3. Dilemma
It is difficult to apply testing theory to the security field;
the basic theory of security testing is weak, and the current testing methods lack theoretical guidance and technical product tools.
4. Differences from other tests
1. The goal is different: the goal of testing is to discover bugs, and the goal of security testing is to discover potential safety hazards.
2. Different assumptions: the test assumes that the data that causes the problem is caused by the user's carelessness, and the interface generally only considers the user interface. Security testing assumes that the data that causes the problem is deliberately constructed by the attacker, and all possible attack vectors need to be considered.
3. Different domains of thinking: the test takes the functions of the system as the domain of thinking. The thinking field of security testing includes not only system functions, but also system mechanism, external environment, application and data security risks and security attributes.
4. The problem discovery mode is different: the test is judged based on the violation of the function definition. Security testing is based on the violation of authority and capability constraints.
Difference from Penetration Testing
1. Differences in starting point: Penetration testing is based on successfully invading the system and proving that there are security problems in the system; while security testing is based on discovering all possible security risks in the system.
2. Differences in perspective: Penetration testing looks at and thinks about problems from the perspective of attackers, while security testing thinks about problems from the perspective of defenders, trying to find all security risks that may be exploited by attackers, and guide them to fix them.
3. Differences in coverage: Penetration testing only selects a few points as the test target, while security testing is a complete test after analyzing the system architecture and finding out all possible attack interfaces of the system.
4. Cost difference: Security testing needs to analyze the functions of the system, the technology used in the system, and the structure of the system, so it requires more time and manpower than penetration testing.
5. Differences in solutions: Penetration testing cannot provide targeted solutions; while security testing will analyze the causes of problems from the perspective of developers and provide more effective solutions.
5. Security testing tools
Nmap
Nessus
seninfo
fuzz fuzz testing
6. Better websites and blogs about security found on Zhihu
NSFOCUS Technology Blog: http://blog.nsfocus.net/
360 blog http://blogs.360.cn/
vxjump http://www.vxjump.net
A foreign apt team blog https://www.tarlogic.com/en/cybersecurity-blog/
Of course, the prophet community is indispensable https://xz.aliyun.com/
Network security learning resource sharing:
Zero-based entry
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Due to the limited space, only part of the information is shown, you need to click the link above to get it