CN114676066A - Security testing method and device for target application, electronic equipment and storage medium - Google Patents

Security testing method and device for target application, electronic equipment and storage medium Download PDF

Info

Publication number
CN114676066A
CN114676066A CN202210441664.6A CN202210441664A CN114676066A CN 114676066 A CN114676066 A CN 114676066A CN 202210441664 A CN202210441664 A CN 202210441664A CN 114676066 A CN114676066 A CN 114676066A
Authority
CN
China
Prior art keywords
tool
test
application
security
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210441664.6A
Other languages
Chinese (zh)
Inventor
黄英华
邹晓鸥
曾凯
徐翥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210441664.6A priority Critical patent/CN114676066A/en
Publication of CN114676066A publication Critical patent/CN114676066A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/366Software debugging using diagnostics

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a security testing method and a device thereof, electronic equipment and a storage medium of target application, relating to the field of financial science and technology, wherein the testing method comprises the following steps: receiving a test task for performing a security test on a target application, wherein the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: testing time points and application identifications of target applications, responding to a test task, accessing a plurality of safety detection tools corresponding to tool information, scheduling the safety detection tools to scan the target applications respectively under the condition of reaching the test time points to obtain a plurality of detection reports, and analyzing display element information in the plurality of detection reports to obtain application test results. The invention solves the technical problem of low working efficiency caused by adopting a manual method to dispatch a plurality of safety detection tools one by one in the related technology.

Description

Security testing method and device for target application, electronic equipment and storage medium
Technical Field
The invention relates to the field of financial science and technology, in particular to a security testing method and device for target application, electronic equipment and a storage medium.
Background
In the safety test, there are multiple safety inspection instrument, each safety inspection instrument uses relatively independently, and the safety test personnel need manually trigger the instrument scanning one by one when the safety test, need learn the service instruction of each safety inspection instrument, and the operation is comparatively complicated, and the safety test threshold is higher, and simultaneously, all can form an independent safety inspection report after every safety inspection instrument scans and accomplishes.
In the related technology, because each safety detection tool is relatively independent in use, the arrangement and scheduling of various testing tools are lacked, manual testing is mainly relied on, safety testers need to learn to use various tools, need to learn to design a safety testing scene, and need to have sufficient knowledge on the scanning principle and the scanning opportunity of each safety detection tool, the situation that the testing opportunity is delayed due to negligence of some testers may occur, and meanwhile, the problems that manual operation is complex, rapid iterative scanning cannot be carried out and the like also exist. Moreover, the safety detection tools have a phenomenon of overlapping test items, detection results of the safety detection tools cannot be shared for use, a comprehensive detection report cannot be provided for application, developers need to analyze the detection report generated by each safety detection tool one by one, and the working efficiency is low.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a safety testing method and device for target application, electronic equipment and a storage medium, and aims to at least solve the technical problem that in the related technology, a plurality of safety detection tools are manually scheduled one by one, and the working efficiency is low.
According to an aspect of an embodiment of the present invention, a security testing method for a target application is provided, including: receiving a test task for performing a security test on a target application, wherein the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: testing the time point and the application identification of the target application; responding to the test task, and accessing a plurality of safety detection tools corresponding to the tool information; under the condition that the test time point is reached, scheduling the safety detection tool to respectively scan the target application to obtain a plurality of detection reports; and analyzing the display element information in the multiple detection reports to obtain an application test result.
Optionally, before receiving a test task for performing a security test on the target application, the method further includes: receiving a task creating instruction, responding to the task creating instruction, and creating an initial testing task; and receiving the application identifier, the test time point and a tool selection instruction, and generating the test task, wherein the tool selection instruction is a tool instruction selected by an external tool received after tool profiles of all safety detection tools are displayed on a client interface.
Optionally, the step of accessing a plurality of safety detection tools corresponding to the tool information in response to the test task includes: determining tool environment configuration and service parameter configuration of each safety detection tool to be accessed based on the tool information; and respectively accessing a plurality of safety detection tools by adopting a pre-configured safety tool starting interface based on the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed.
Optionally, the plurality of safety detection tools comprises: the static application security detection service tool obtains code semantic information and dependency relationship by scanning the source code of the target application; the dynamic application safety detection service tool is used for injecting a preset fault into the target application and scanning the running process of the target application after the fault is injected to obtain application fault test information; the interactive application detection service tool is used for detecting the operation state of the target application by installing a pile inserting assembly to a test server, acquiring an application service request, a code data stream and a code control stream through the pile inserting assembly, carrying out test flow transformation and obtaining risk point information; and customizing a safety detection service tool by user, and providing scheduling scene customization service and tool starting parameter configuration service for a pre-specified safety tool.
Optionally, the static application security detection service tool is connected with a source code management system, and the calling scenario is a code submission and storage stage; the dynamic application security detection service tool is in butt joint with a continuous construction tool, and a calling scene is a test stage after code delivery; the interactive application detection service tool calling scenario is a test phase after code delivery.
Optionally, before analyzing the display element information in the multiple detection reports to obtain the application test result, the method further includes: merging and removing duplicate in the multiple test reports, and determining the defect type and the application problem corresponding to the target application; weighting different defect types and application problems based on the occurrence frequency of each defect type and each application problem, and sequencing the weighted defect types and application problems to obtain a sequencing result; and displaying the sequencing result.
Optionally, the presentation element information includes at least one of: application identification, vulnerability defect classification, vulnerability grade, risk description, repair suggestion, problem positioning and problem source.
According to another aspect of the embodiments of the present invention, there is also provided a security testing apparatus for a target application, including: a receiving unit, configured to receive a test task for performing a security test on a target application, where the test task includes preconfigured tool information and test basic information, and the test basic information at least includes: testing the time point and the application identification of the target application; the access unit is used for responding to the test task and accessing a plurality of safety detection tools corresponding to the tool information; the scheduling unit is used for scheduling the safety detection tool to respectively scan the target application under the condition that the test time point is reached to obtain a plurality of detection reports; and the analysis unit is used for analyzing the display element information in the multiple detection reports to obtain an application test result.
Optionally, the testing apparatus further comprises: the system comprises a first establishing module, a second establishing module and a third establishing module, wherein the first establishing module is used for receiving a task establishing instruction before receiving a test task for performing safety test on a target application, and responding to the task establishing instruction to establish an initial test task; and the first generation module is used for receiving the application identifier, the test time point and a tool selection instruction and generating the test task, wherein the tool selection instruction is a tool instruction selected by an external tool after tool profiles of all safety detection tools are displayed on a client interface.
Optionally, the access unit includes: the first determination module is used for determining the tool environment configuration and the service parameter configuration of each to-be-accessed safety detection tool based on the tool information; and the first access module is used for respectively accessing a plurality of safety detection tools by adopting a pre-configured safety tool starting interface based on the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed.
Optionally, the plurality of safety detection tools comprises: the static application security detection service tool obtains code semantic information and dependency relationship by scanning the source code of the target application; the dynamic application safety detection service tool is used for obtaining application fault test information by injecting a preset fault into the target application and scanning the running process of the target application after the fault is injected; the interactive application detection service tool is used for detecting the operation state of the target application by installing a pile inserting component to a test server, acquiring an application service request, a code data stream and a code control stream through the pile inserting component, and performing test flow transformation to obtain risk point information; and customizing a safety detection service tool by user, and providing scheduling scene customization service and tool starting parameter configuration service for a pre-specified safety tool.
Optionally, the static application security detection service tool is connected with a source code management system, and the calling scenario is a code submission and storage stage; the dynamic application security detection service tool is in butt joint with a continuous construction tool, and a calling scene is a test stage after code delivery; the interactive application detection service tool calling scenario is a test phase after code delivery.
Optionally, the testing apparatus further comprises: a second determining module, configured to perform merging processing and deduplication processing on the multiple test reports before analyzing the display element information in the multiple test reports to obtain application test results, and determine a defect type and an application problem corresponding to the target application; the first sequencing module is used for weighting different defect types and application problems based on the occurrence frequency of each defect type and each application problem, and sequencing the weighted defect types and application problems to obtain a sequencing result; and the first display module is used for displaying the sequencing result.
Optionally, the presentation element information includes at least one of: application identification, vulnerability defect classification, vulnerability grade, risk description, repair suggestion, problem positioning and problem source.
According to another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, where the computer-readable storage medium includes a stored computer program, and when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute the above security testing method for a target application.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including one or more processors and a memory, where the memory is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to implement the security testing method for a target application.
In the present disclosure, a test task for performing a security test on a target application is received, where the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: testing time points and application identifications of target applications, responding to a test task, accessing a plurality of safety detection tools corresponding to tool information, scheduling the safety detection tools to scan the target applications respectively under the condition of reaching the test time points to obtain a plurality of detection reports, and analyzing the display element information in the plurality of detection reports to obtain application test results. In the application, a plurality of corresponding safety detection tools can be accessed based on tool information in a test task, when a test time point is reached, the safety detection tools are scheduled to scan target applications respectively, and a plurality of detection reports are analyzed, so that application test results are obtained, automatic arrangement and scheduling of independent safety detection tools can be realized, the learning cost and the use threshold of safety testers are reduced, the rapid automatic safety scanning function is realized, comprehensive application test results are obtained, the improvement of the working efficiency is facilitated, and the technical problem that in the related technology, a plurality of safety detection tools are manually scheduled one by one, and the working efficiency is low is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and do not constitute a limitation of the invention. In the drawings:
FIG. 1 is a flow diagram of an alternative method for security testing of a target application in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of an alternative defect trend statistic in accordance with an embodiment of the present invention;
FIG. 3 is a schematic diagram of an alternative target application security testing apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of a hardware structure of an electronic device (or a mobile device) for a security testing method of a target application according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the security testing method and the device for target application in the present disclosure may be used in the field of financial technology for performing security testing on target application, and may also be used in any field other than the field of financial technology for performing security testing on target application.
It should be noted that relevant information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for presentation, analyzed data, etc.) referred to in the present disclosure are information and data that are authorized by the user or sufficiently authorized by various parties. For example, an interface is provided between the system and the relevant user or organization, before obtaining the relevant information, an obtaining request needs to be sent to the user or organization through the interface, and after receiving the consent information fed back by the user or organization, the relevant information is obtained.
The embodiments of the invention described below may be applied to various systems/applications/devices for security testing of target applications. The invention can combine the detection capabilities of various safety detection tools, provide the arrangement and scheduling of various safety detection tools, and process data in modes of merging, duplicate removal and the like for the same defect problem detected by using different detection tools for the same application, thereby providing the cross validation capability aiming at the oriented safety problem, providing the application comprehensive test result for the application and being beneficial to improving the working efficiency.
The present invention will be described in detail with reference to examples.
Example one
In accordance with an embodiment of the present invention, there is provided an embodiment of a method for security testing of a target application, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flowchart of an alternative security testing method for a target application according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S101, receiving a test task for performing a safety test on a target application, wherein the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: and testing the time point and the application identification of the target application.
And step S102, responding to the test task, and accessing a plurality of safety detection tools corresponding to the tool information.
And step S103, under the condition that the test time point is reached, the safety detection tool is dispatched to scan the target application respectively to obtain a plurality of detection reports.
And step S104, analyzing the display element information in the multiple detection reports to obtain an application test result.
Through the steps, a test task for performing security test on the target application can be received, wherein the test task comprises pre-configured tool information and test basic information, and the test basic information at least comprises: testing time points and application identifications of target applications, responding to a test task, accessing a plurality of safety detection tools corresponding to tool information, scheduling the safety detection tools to scan the target applications respectively under the condition of reaching the test time points to obtain a plurality of detection reports, and analyzing the display element information in the plurality of detection reports to obtain application test results. In the embodiment of the invention, a plurality of corresponding safety detection tools can be accessed based on tool information in a test task, when a test time point is reached, the safety detection tools are scheduled to scan target applications respectively, and a plurality of detection reports are analyzed, so that an application test result is obtained, each independent safety detection tool can be arranged and scheduled, the learning cost and the use threshold of safety testers are reduced, the rapid automatic safety scanning function is realized, the comprehensive application test result is obtained, the improvement of the working efficiency is facilitated, and the technical problem that the working efficiency is low because a plurality of safety detection tools are manually scheduled one by one in the related art is solved.
The following will explain the embodiments of the present invention in detail with reference to the above steps.
In an embodiment of the present invention, before receiving a test task for performing a security test on a target application, an optional method further includes: receiving a task creating instruction, responding to the task creating instruction, and creating an initial testing task; and receiving the application identification, the test time point and a tool selection instruction, and generating a test task, wherein the tool selection instruction is a tool instruction selected by an external tool after tool profiles of all safety detection tools are displayed on a client interface.
In the embodiment of the present invention, a task creating instruction may be received first, an initial test task may be created, then an application identifier of a target application, a test time point at which the target application needs to be tested, and a tool selection instruction may be received, where the tool selection instruction is a tool instruction selected by an external tool (e.g., a keyboard, a mouse, a remote controller, etc.) after a client sees and displays tool profiles of all security detection tools on a client interface, and then a test task may be generated.
Step S101, receiving a test task for performing a safety test on a target application, wherein the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: and testing the time point and the application identification of the target application.
In the embodiment of the present invention, each security detection tool may be registered through a security tool registration service, and necessary input parameters such as environment configuration, service configuration, and the like of each security detection tool (that is, tool information of each security detection tool is configured in advance) may be combed, the security testing system may provide a uniform interface for a client to perform security tool scanning configuration according to the input parameters provided by the client, so as to generate tool information of a current testing task, and then obtain testing basic information of the current testing task, where the testing basic information at least includes: and testing the time point, the application identifier of the target application and the like, and then receiving a testing task for performing safety testing on the target application to complete the safety testing on the target application.
And step S102, responding to the test task, and accessing a plurality of safety detection tools corresponding to the tool information.
Optionally, the step of responding to the test task and accessing a plurality of safety detection tools corresponding to the tool information includes: determining tool environment configuration and service parameter configuration of each safety detection tool to be accessed based on the tool information; and respectively accessing a plurality of safety detection tools by adopting a pre-configured safety tool starting interface based on the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed.
In the embodiment of the present invention, a plurality of corresponding security detection tools may be accessed to a security test system based on tool information in a test task, specifically: the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed can be determined according to the tool information, and then, based on the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed, a safety tool starting interface which is pre-configured in a safety test system is adopted to be respectively accessed into a plurality of safety detection tools, so that the access of the plurality of safety detection tools is completed.
Optionally, the plurality of safety detection tools include: the static application security detection service tool obtains code semantic information and dependency relationship by scanning a source code of a target application; the dynamic application safety detection service tool is used for injecting a preset fault into the target application and scanning the running process of the target application after the fault is injected to obtain application fault test information; the interactive application detection service tool is used for detecting the operation state of a target application by installing a pile inserting assembly to a test server, acquiring an application service request, a code data stream and a code control stream through the pile inserting assembly, carrying out test flow transformation and obtaining risk point information; and customizing a safety detection service tool by user, and providing scheduling scene customization service and tool starting parameter configuration service for a pre-specified safety tool.
In the embodiment of the present invention, since each Security detection tool has different detection principles and different applicable scheduling scenarios, the Security test system may divide various Security detection tools into an sast (static Application Security testing) Security detection service tool (i.e., static Application Security testing service tool), a dast (dynamic Application Security testing) Security detection service tool (i.e., dynamic Application Security testing service tool), an iast (interactive Application Security testing) Security detection service tool (i.e., interactive Application detection service tool), a custom Security detection service tool, and the like, where the static Application Security detection service tool is also referred to as "white box test", and the Security detection tool mainly finds known bugs in codes by scanning source codes, semantically understands program codes, and depends on relationships (i.e., by scanning source codes of target applications, obtaining code semantic information and dependency relations); a dynamic application security detection service tool, also called as a black box test, which does not find a bug from a source code like the SAST, but performs a security test by injecting a fault when an application is running (i.e., by injecting a preset fault into a target application and scanning a running process of the target application after the fault is injected, application fault test information is obtained); an interactive application detection service tool, also called a gray box test, which integrates the detection technologies of SAST and DAST, installs a instrumentation agent in a tested server, acquires a request and a code data stream code control stream when an application program runs, then performs test flow reconstruction, and detects the operation and attack conditions, thereby finding a risk point (namely, by installing an instrumentation component to the test server, acquiring an application service request, a code data stream and a code control stream through the instrumentation component, performing test flow reconstruction, detecting the operation state of a target application, and obtaining risk point information); and customizing a safety detection service tool by user, and providing scheduling scene customization service and tool starting parameter configuration service for a pre-specified safety tool.
Optionally, the static application security detection service tool is connected with a source code management system, and the calling scene is a code submission and storage stage; a dynamic application security detection service tool is used for docking a continuous construction tool, and a calling scene is a test stage after code delivery; the interactive application detection service tool invocation scenario is a test phase after code delivery.
In the embodiment of the invention, the main calling scene of the static application security detection service tool is a code submission warehousing stage, and the tool is in butt joint with a source code management system (such as Git) and a continuous construction tool (such as Jenkins), so that a code packet of a version library to be submitted can be obtained and provided for an SAST security detection service tool, and automatic security scanning can be carried out on codes.
The main calling scene of the dynamic application security detection service tool is a testing stage after code delivery, the tool is in butt joint with a continuous construction tool (such as Jenkins), the DAST security detection service tool is triggered at the version delivery timing, and automatic security scanning is carried out on programs running in a testing environment.
The main calling scene of the interactive application detection service tool is a testing stage, the tool provides functions such as instrumentation script configuration and the like, and deep service safety testing can be synchronously performed while testing personnel perform application function testing.
And step S103, under the condition that the test time point is reached, the safety detection tool is dispatched to scan the target application respectively to obtain a plurality of detection reports.
In the embodiment of the present invention, a detection report analysis module in a security test system may provide a uniform report pushing interface for each security detection tool, and uniformly encode defect types provided by each tool, and each security detection tool connected to the system needs to push a detection report to the system at regular time after the tool scan is completed or according to a certain appointed time (that is, when a test time point provided in a test task is reached, the security test system may schedule the security detection tool to scan a target application respectively to obtain multiple detection reports), where the report includes information such as an application name, a defect type, a risk description, and problem location.
Optionally, before analyzing the display element information in the multiple detection reports and obtaining the application test result, the method further includes: merging and removing duplicate in the multiple test reports, and determining the defect type and application problem corresponding to the target application; weighting different defect types and application problems based on the occurrence frequency of each defect type and each application problem, and sequencing the weighted defect types and application problems to obtain a sequencing result; and displaying the sequencing result.
In the embodiment of the present invention, the security test system may merge and remove the test reports pushed by each security detection tool (that is, merge and remove the multiple test reports to determine the defect type and application problem corresponding to the target application), and perform weighting processing on the same problem detected by multiple security detection tools, if a certain bug is only scanned by a certain security detection tool, the weight may be set as a preset value (for example, the preset value is set to 1), if 2 security detection tools scan, the weight may be set as a preset value 2 times, and so on (that is, based on the occurrence frequency of each defect type and each application problem, different defect types and application problems are weighted), the security analysis reports are displayed in an order according to the weight and the bug level, and the priority display weight is high, And a vulnerability with a high vulnerability level (namely sequencing the weighted defect types and the weighted application problems to obtain a sequencing result and displaying the sequencing result).
And step S104, analyzing the display element information in the multiple detection reports to obtain an application test result. Optionally, the presentation element information includes at least one of: application identification, vulnerability defect classification, vulnerability grade, risk description, repair suggestion, problem positioning and problem source.
In the embodiment of the present invention, the presentation elements in the detection report may include: the application name (namely the application identifier), the bug defect classification, the bug level, the risk description, the repair suggestion, the problem location, the problem source (namely which safety detection tool scans the problem), the weight, other specific information in the original report provided by the safety detection tool corresponding to the scanned problem and the like, meanwhile, the safety test system provides a report export function, and the application test result can be obtained by analyzing the display element information in a plurality of detection reports.
Alternatively, the safety test system may further provide a statistical analysis module to provide a statistical analysis function for the user, and the system may provide trend statistics, defect classification TopN, and the like of defects of a certain application or all applications in a certain scanning period for the user, and may further perform statistics on applications with the highest ranking of defect number and defect density.
FIG. 2 is a schematic diagram of an alternative defect trend statistic according to an embodiment of the present invention, as shown in FIG. 2, including: two curves of defect number and defect density, wherein the curve change of the defect number is counted by taking time as an abscissa (counting from 3.16 to 3.22, curve change per day) and the curve change of the defect number (number of defects) (counting from 0 to 500000, unit is 100000) as an ordinate; the curve change of the defect density was counted with time as abscissa (statistics from 3.16 to 3.22, curve change per day), and defect density (%) (statistics from 0 to 15, unit 3) as ordinate.
In the embodiment of the invention, a client can click a certain safety task in the safety test system to configure the tool detection template, the safety detection tool components to be used are placed in the execution flow of the safety detection task in a pushing and pulling mode, necessary input information of each safety detection tool component is configured in the system, and the system regularly triggers the corresponding safety tool to scan according to the configuration of the user, so that the effective arrangement and scheduling of each safety tool are realized, and the automatic scanning work of the tool is completed.
The following detailed description is to be read in connection with alternative embodiments.
The embodiment of the invention provides a safety test system which can carry out coding scheduling on various safety detection tools and converge results of the safety detection tools, the safety test system can combine the detection capabilities of the various safety tools, provide the arrangement scheduling of the various safety detection tools, and carry out data processing on the same defect problems detected by different detection tools for the same application in a combination mode, a duplication removal mode and other modes, thereby providing cross validation capability aiming at oriented safety problems and providing a comprehensive safety detection analysis report for the application, and the safety test system comprises the following specific steps:
the safety test system mainly comprises: a safety task management module, a safety tool access and scheduling module, a detection report analysis module and a statistic analysis module,
and the safety task management module is mainly used for establishing a safety task, executing the safety task and closing the safety task.
The safety tool access and scheduling module is an important module in the system, and the system provides uniform tool component access service and can perform scanning scheduling configuration function aiming at each tool component. The security tool access and dispatch module may provide security tool registration services.
The security tool registration service specifically functions as follows: if each safety detection tool needs to be accessed into the system, secondary development needs to be carried out according to a unified access flow, necessary input parameters such as environment configuration and service configuration of each safety tool are combed, a safety tool starting interface is provided, and the system can provide a unified interface for a client to carry out safety tool scanning configuration according to the provided input parameters.
As the detection principles of various safety tools are different and the applicable scheduling scenes are also different, the system divides various safety tools into four modules, namely an SAST safety detection service module, a DAST safety detection service module, an IAST safety detection service module and a user-defined safety detection service module,
(1) the sast (static Application Security testing) static Application Security detection service module, also called "white-box test" module, is a module in which registered Security tools discover known bugs in code, semantically understand program code, and dependencies, mainly by scanning source code. The main calling scenario of such security tools is the code submission warehousing stage. The module is in butt joint with a source code management system (such as Git) and a continuous construction tool (such as Jenkins), can acquire a code packet of a version library to be submitted, and provides the code packet for the SAST security detection service module so as to carry out automatic security scanning on the code.
(2) Dast (dynamic Application Security testing) dynamic Application Security detection service module, also called "black box test" module, does not find bugs from source code like SAST, but performs Security test by injecting failures while the Application is running. The tool main calling scenario is a test stage after code delivery. The module is in butt joint with a continuous construction tool (such as Jenkins), a DAST safety detection service module is triggered at the version delivery timing, and automatic safety scanning is carried out on programs running in a test environment.
(3) An IAST (interactive Application Security testing) interactive Application detection service module, also called a gray box test module, synthesizes the detection technologies of SAST and DAST by a safety tool registered in the module, installs a instrumentation agent in a tested server, acquires a request and a code data stream code control stream when an Application program runs, and then carries out test flow reconstruction to detect the operation and attack conditions, thereby finding out a risk point. The main calling scene of the tool is a testing stage, the module provides functions such as instrumentation script configuration and the like, and deep service safety testing can be synchronously performed while testing personnel perform application function testing.
(4) The custom security detection service module provides a capability for some security tools to customize a scheduling scene and configure special starting parameters according to the characteristics of the tools.
In this embodiment, a client may click a certain security task in the system, configure a tool detection template, place a security detection tool component to be used in the execution flow of the security detection task in a push-and-pull manner, configure necessary input information of each security detection tool component in the system, and periodically trigger the corresponding security tool to scan according to the configuration of the user, thereby implementing effective scheduling of each security tool and completing automatic scanning of the tool.
The detection report analysis module provides a uniform report pushing interface for each safety tool, uniformly codes the defect types provided by each tool, and pushes a detection report to the system by each safety detection tool accessed to the system after the tool scanning is finished or at regular time according to a certain appointed time, wherein the report comprises: application name, defect type, risk description, problem location, and the like. The system combines and removes the weight of the report pushed by each detection tool, and performs weighting processing on the same problem detected by a plurality of detection tools, if a certain bug is only scanned by a certain safety detection tool, the weight can be set to 1 (can be set according to specific situations), if 2 safety detection tools are scanned, the weight can be set to 2, and so on. And sequencing and displaying the security analysis reports according to the weight and the vulnerability level, and preferentially displaying the vulnerabilities with high weight and high vulnerability level. The elements displayed in the safety detection analysis report comprise: the system comprises an application name, vulnerability defect classification, vulnerability grade, risk description, repair suggestion, problem location, problem source (which security tool scans the problem), weight, other specific information in an original report provided by the security tool corresponding to the scanned problem and the like, and meanwhile, the system also provides a report exporting function.
The statistical analysis module can provide a statistical analysis function for a user, and the system can provide trend statistics and defect classification TopN of defects of a certain application or all applications in a certain scanning period for the user, and can also count the number of the defects and the application with the highest defect density ranking.
In the embodiment of the invention, each relatively independent safety detection tool can be effectively arranged and scheduled, so that the learning cost of safety testers can be greatly reduced, the use threshold is reduced, and rapid automatic safety scanning can be performed. Meanwhile, a comprehensive application safety detection analysis report can be provided for a client, and the work of repeated problem confirmation is avoided.
Example two
The safety testing device for target applications provided in this embodiment includes a plurality of implementation units, and each implementation unit corresponds to each implementation step in the first embodiment.
Fig. 3 is a schematic diagram of an alternative security testing apparatus for a target application according to an embodiment of the present invention, and as shown in fig. 3, the security testing apparatus may include: a receiving unit 30, an accessing unit 31, a scheduling unit 32, an analyzing unit 33, wherein,
a receiving unit 30, configured to receive a test task for performing a security test on a target application, where the test task includes preconfigured tool information and test basic information, and the test basic information at least includes: testing the time point and the application identification of the target application;
an access unit 31, configured to respond to a test task and access a plurality of security detection tools corresponding to tool information;
the scheduling unit 32 is configured to schedule the security detection tool to scan the target application respectively to obtain multiple detection reports when the test time point is reached;
and the analysis unit 33 is configured to analyze the display element information in the multiple detection reports to obtain an application test result.
The testing apparatus may receive, by the receiving unit 30, a test task for performing a security test on a target application, where the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: the test time point and the application identifier of the target application respond to the test task through the access unit 31, a plurality of safety detection tools corresponding to the tool information are accessed, the safety detection tools are scheduled to scan the target application respectively through the scheduling unit 32 under the condition that the test time point is reached, a plurality of detection reports are obtained, and the display element information in the plurality of detection reports is analyzed through the analysis unit 33, so that an application test result is obtained. In the embodiment of the invention, a plurality of corresponding safety detection tools can be accessed based on tool information in a test task, when a test time point is reached, the safety detection tools are scheduled to scan target applications respectively, and a plurality of detection reports are analyzed, so that an application test result is obtained, each independent safety detection tool can be arranged and scheduled, the learning cost and the use threshold of safety testers are reduced, the rapid automatic safety scanning function is realized, the comprehensive application test result is obtained, the improvement of the working efficiency is facilitated, and the technical problem that the working efficiency is low because a plurality of safety detection tools are manually scheduled one by one in the related art is solved.
Optionally, the testing apparatus further includes: the first establishing module is used for receiving a task establishing instruction before receiving a test task for performing safety test on the target application, responding to the task establishing instruction and establishing an initial test task; the first generation module is used for receiving the application identification, the test time point and a tool selection instruction and generating a test task, wherein the tool selection instruction is a tool instruction selected by an external tool after tool profiles of all safety detection tools are displayed on a client interface.
Optionally, the access unit includes: the first determination module is used for determining the tool environment configuration and the service parameter configuration of each to-be-accessed safety detection tool based on the tool information; and the first access module is used for adopting a pre-configured safety tool starting interface to respectively access the plurality of safety detection tools based on the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed.
Optionally, the plurality of safety detection tools include: the static application security detection service tool obtains code semantic information and dependency relationship by scanning a source code of a target application; the dynamic application safety detection service tool is used for obtaining application fault test information by injecting a preset fault into the target application and scanning the running process of the target application after the fault is injected; the interactive application detection service tool is used for detecting the operation state of a target application by installing a pile inserting assembly to a test server, acquiring an application service request, a code data stream and a code control stream through the pile inserting assembly, carrying out test flow transformation and obtaining risk point information; and customizing a safety detection service tool by user, and providing scheduling scene customization service and tool starting parameter configuration service for a pre-specified safety tool.
Optionally, the static application security detection service tool is connected with a source code management system, and the calling scene is a code submission and storage stage; a dynamic application security detection service tool is used for docking a continuous construction tool, and a calling scene is a test stage after code delivery; the interactive application detection service tool invocation scenario is a test phase after code delivery.
Optionally, the testing apparatus further includes: the second determining module is used for carrying out merging processing and duplicate removal processing on the multiple test reports before analyzing the display element information in the multiple detection reports to obtain application test results, and determining the defect types and application problems corresponding to the target application; the first sequencing module is used for weighting different defect types and application problems based on the occurrence frequency of each defect type and each application problem, and sequencing the weighted defect types and application problems to obtain a sequencing result; and the first display module is used for displaying the sequencing result.
Optionally, the presentation element information includes at least one of: application identification, vulnerability defect classification, vulnerability grade, risk description, repair suggestion, problem positioning and problem source.
The above-mentioned testing device may further include a processor and a memory, and the above-mentioned receiving unit 30, the accessing unit 31, the scheduling unit 32, the analyzing unit 33, etc. are all stored in the memory as program units, and the processor executes the above-mentioned program units stored in the memory to implement the corresponding functions.
The processor comprises a kernel, and the kernel calls a corresponding program unit from the memory. The kernel can be set to be one or more than one, and the display element information in the multiple detection reports is analyzed by adjusting the kernel parameters to obtain the application test result.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: receiving a test task for performing a security test on a target application, wherein the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: testing time points and application identifications of target applications, responding to a test task, accessing a plurality of safety detection tools corresponding to tool information, scheduling the safety detection tools to scan the target applications respectively under the condition of reaching the test time points to obtain a plurality of detection reports, and analyzing display element information in the plurality of detection reports to obtain application test results.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program, and when the computer program runs, the apparatus on which the computer-readable storage medium is located is controlled to execute the above-mentioned security testing method for the target application.
According to another aspect of embodiments of the present invention, there is also provided an electronic device, including one or more processors and a memory for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the above-mentioned security testing method for a target application.
Fig. 4 is a block diagram of a hardware structure of an electronic device (or a mobile device) for a security testing method of a target application according to an embodiment of the present invention. As shown in fig. 4, the electronic device may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), and memory 104 for storing data. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a keyboard, a power supply, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 4 is only an illustration and is not intended to limit the structure of the electronic device. For example, the electronic device may also include more or fewer components than shown in FIG. 4, or have a different configuration than shown in FIG. 4.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A method for security testing of a target application, comprising:
receiving a test task for performing a security test on a target application, wherein the test task includes pre-configured tool information and test basic information, and the test basic information at least includes: testing the time point and the application identification of the target application;
responding to the test task, and accessing a plurality of safety detection tools corresponding to the tool information;
under the condition that the test time point is reached, scheduling the safety detection tool to respectively scan the target application to obtain a plurality of detection reports;
and analyzing the display element information in the multiple detection reports to obtain an application test result.
2. The security test method of claim 1, further comprising, prior to receiving a test task to perform a security test on the target application:
receiving a task creating instruction, responding to the task creating instruction, and creating an initial testing task;
and receiving the application identifier, the test time point and a tool selection instruction, and generating the test task, wherein the tool selection instruction is a tool instruction selected by an external tool received after tool profiles of all safety detection tools are displayed on a client interface.
3. The security test method of claim 1, wherein the step of accessing a plurality of security detection tools corresponding to the tool information in response to the test task comprises:
determining tool environment configuration and service parameter configuration of each safety detection tool to be accessed based on the tool information;
and respectively accessing a plurality of safety detection tools by adopting a pre-configured safety tool starting interface based on the tool environment configuration and the service parameter configuration of each safety detection tool to be accessed.
4. The safety testing method according to any one of claims 1 to 3, wherein the plurality of safety detection tools comprises:
the static application security detection service tool obtains code semantic information and dependency relationship by scanning the source code of the target application;
the dynamic application safety detection service tool is used for obtaining application fault test information by injecting a preset fault into the target application and scanning the running process of the target application after the fault is injected;
the interactive application detection service tool is used for detecting the operation state of the target application by installing a pile inserting assembly to a test server, acquiring an application service request, a code data stream and a code control stream through the pile inserting assembly, carrying out test flow transformation and obtaining risk point information;
and customizing a safety detection service tool by user, and providing scheduling scene customization service and tool starting parameter configuration service for a pre-designated safety tool.
5. The security testing method of claim 4, wherein the static application security detection service tool interfaces with a source code management system, and the calling scenario is a code submission warehousing stage; the dynamic application security detection service tool is in butt joint with a continuous construction tool, and a calling scene is a test stage after code delivery; the interactive application detection service tool calling scenario is a test phase after code delivery.
6. The security testing method of claim 1, before analyzing the presentation element information in the multiple detection reports to obtain the application testing result, further comprising:
merging and removing duplicate in the multiple test reports, and determining the defect type and the application problem corresponding to the target application;
weighting different defect types and application problems based on the occurrence frequency of each defect type and each application problem, and sequencing the weighted defect types and application problems to obtain a sequencing result;
and displaying the sequencing result.
7. The security test method according to claim 1, wherein the presentation factor information includes at least one of: application identification, vulnerability defect classification, vulnerability grade, risk description, repair suggestion, problem positioning and problem source.
8. A security testing apparatus for a target application, comprising:
a receiving unit, configured to receive a test task for performing a security test on a target application, where the test task includes preconfigured tool information and test basic information, and the test basic information at least includes: testing the time point and the application identification of the target application;
the access unit is used for responding to the test task and accessing a plurality of safety detection tools corresponding to the tool information;
the scheduling unit is used for scheduling the safety detection tool to respectively scan the target application under the condition that the test time point is reached to obtain a plurality of detection reports;
and the analysis unit is used for analyzing the display element information in the multiple detection reports to obtain an application test result.
9. A computer-readable storage medium, comprising a stored computer program, wherein when the computer program runs, the computer-readable storage medium controls a device to execute the security testing method of the target application according to any one of claims 1 to 7.
10. An electronic device comprising one or more processors and memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method for security testing of a target application of any of claims 1 to 7.
CN202210441664.6A 2022-04-25 2022-04-25 Security testing method and device for target application, electronic equipment and storage medium Pending CN114676066A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210441664.6A CN114676066A (en) 2022-04-25 2022-04-25 Security testing method and device for target application, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210441664.6A CN114676066A (en) 2022-04-25 2022-04-25 Security testing method and device for target application, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114676066A true CN114676066A (en) 2022-06-28

Family

ID=82080628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210441664.6A Pending CN114676066A (en) 2022-04-25 2022-04-25 Security testing method and device for target application, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114676066A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292128A (en) * 2022-08-10 2022-11-04 中国电信股份有限公司 Microservice configuration detection method and device, electronic equipment and readable storage medium
CN117421253A (en) * 2023-12-19 2024-01-19 深圳市智慧城市科技发展集团有限公司 Interface security test method, device, equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292128A (en) * 2022-08-10 2022-11-04 中国电信股份有限公司 Microservice configuration detection method and device, electronic equipment and readable storage medium
CN117421253A (en) * 2023-12-19 2024-01-19 深圳市智慧城市科技发展集团有限公司 Interface security test method, device, equipment and storage medium
CN117421253B (en) * 2023-12-19 2024-04-02 深圳市智慧城市科技发展集团有限公司 Interface security test method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN106339312B (en) API test method and system
US7895565B1 (en) Integrated system and method for validating the functionality and performance of software applications
CN105094783B (en) method and device for testing stability of android application
EP2572294B1 (en) System and method for sql performance assurance services
CN114676066A (en) Security testing method and device for target application, electronic equipment and storage medium
US9135714B1 (en) Method and system for integrating a graphical user interface capture for automated test and retest procedures
CN114546738B (en) Universal test method, system, terminal and storage medium for server
CN108509344B (en) Daily cutting batch test method, equipment and readable storage medium
CN111679977B (en) Method, equipment and storage medium for testing exact project unit based on Jest
CN110569159A (en) Baffle generation method, device, equipment and computer storage medium
CN113434396A (en) Interface test method, device, equipment, storage medium and program product
CN113238930A (en) Software system testing method and device, terminal equipment and storage medium
CN113792341A (en) Privacy compliance automation detection method, device, equipment and medium for application program
US9336025B2 (en) Systems and methods of analyzing a software component
CN114238134A (en) Test result display method, device, equipment and storage medium
CN111858354A (en) Method and device for automatically generating test report, storage medium and electronic equipment
EP3734460B1 (en) Probabilistic software testing via dynamic graphs
CN111382071A (en) User behavior data testing method and system
CN117493188A (en) Interface testing method and device, electronic equipment and storage medium
CN108427645B (en) Method and system for realizing unattended operation in automatic test platform without command line interface
CN108563578B (en) SDK compatibility detection method, device, equipment and readable storage medium
CN113934642B (en) Software compatibility testing method based on dynamic and static combination
CN113672497B (en) Method, device and equipment for generating non-buried point event and storage medium
CN115480940A (en) Page calling method, device and medium for financial ratio indexes
CN114238110A (en) Software application testing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination