1. Definition of information security testing
Software security is a broad and complex topic, and every new software may have security flaws, even the flaws are unprecedented. The purpose of information security testing is to put forward security improvement suggestions for the tested software through systematic testing, and help users control/transfer/reduce risks within the scope of national security standards or public acceptance.
2. The role of information security testing
(1) Issuing a report for the security acceptance of the information system: When accepting projects or subjects supported by government funds , security acceptance assessment is required; security acceptance assessment is also required when the system is upgraded or changed.
(2) Help the information system to promote: After the information system is completed, a third-party evaluation agency is required to issue a safety acceptance evaluation report to prove its safety, so as to facilitate its promotion.
(3) Provide technical support for the system manager and builder: check security for Party A; assist Party B to meet Party A's requirements.
(4) Provide information system security consultation and planning suggestions: conduct information security status checks for existing information systems, and provide security rectification suggestions; provide information security consultation for information systems to be built; provide information security construction planning, so as to gradually improve information security construction , to request a budget.
(5) Units that need to build an information security management system: Improve the information security management system to respond to inspections by regulatory agencies; strengthen internal information security management.
3. Test content
According to national standards, industry standards, local standards or relevant technical specifications, strictly follow procedures to conduct scientific and fair comprehensive testing and evaluation of information system security capabilities to help system operating units analyze the current security operating status of the system and find existing security problems , and provide security improvement suggestions to minimize system security risks.
4. Test process
(1) Pre-sales communication with the entrusting unit on the evaluation project, signing the "Confidentiality Agreement", receiving the materials submitted by the customer, and signing the "Software Technology Testing Service Contract" by both parties. The customer submits the following information:
①Software testing entrustment form, list of software product testing functions;
②User manual, operation, installation, instruction, maintenance manual, etc.;
③Sample installation CD;
④ Design documents, database documents, relevant test requirements or industry standards.
(2) The testing team confirms the relevant materials and acceptance status of the software system provided by the entrusting party for information security testing, and records them in the test flow table;
(3) After the test team checks the status of the tested items, if relevant problems are found, the test software system acceptance status confirmation form will be fed back to the entrusting party;
(4) The entrusting party builds a test environment in accordance with the requirements of the "User Requirements Manual";
(5) The test team confirms the test environment, checks the computer system for viruses, and records the checks in the test flow table;
(6) The test group writes the test plan according to the "User Product Manual";
(7) The test group writes test cases according to the test basis, and implements software testing. After the execution is completed, the tester records in the test record according to the execution result of the test case;
(8) The test team issues a test problem report based on the test record of the tester;
(9) The test project supervisor reviews the problem report, and if there is an error, the test engineer is required to conduct a new or supplementary test;
(10) The test team makes corresponding analysis on the problems found in the test, and further confirms the problems;
(11) The test team communicates face-to-face with the entrusting party's technical staff on the problem report;
(12) The entrusting party repairs the problems reported in the problem one by one;
(13) The test group performs regression testing on the system under test;
(14) The test group issues a test report based on the test results and is approved by the authorized signatory of the testing agency;
(15) The testing agency submits the results of the information security testing report to the entrusting party.
Tags: security testing, acceptance test report
Article Source: Information Security Testing Process-Chengdu Kexin Youchuang Information Technology Service Co., Ltd.