CN116383031A - Automatic audit method for source code security vulnerabilities based on scene data - Google Patents
Automatic audit method for source code security vulnerabilities based on scene data Download PDFInfo
- Publication number
- CN116383031A CN116383031A CN202210079783.1A CN202210079783A CN116383031A CN 116383031 A CN116383031 A CN 116383031A CN 202210079783 A CN202210079783 A CN 202210079783A CN 116383031 A CN116383031 A CN 116383031A
- Authority
- CN
- China
- Prior art keywords
- security
- audit
- vulnerability
- data
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012550 audit Methods 0.000 title claims abstract description 72
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000001514 detection method Methods 0.000 claims abstract description 14
- 101001018259 Homo sapiens Microtubule-associated serine/threonine-protein kinase 1 Proteins 0.000 claims description 8
- 101000693728 Homo sapiens S-acyl fatty acid synthase thioesterase, medium chain Proteins 0.000 claims description 8
- 102100025541 S-acyl fatty acid synthase thioesterase, medium chain Human genes 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 8
- 230000008439 repair process Effects 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 5
- 230000008901 benefit Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000011161 development Methods 0.000 claims description 3
- 238000013524 data verification Methods 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 claims description 2
- 238000013474 audit trail Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3692—Test management for test results analysis
Abstract
The invention discloses a scene data-based automatic audit method for source code security vulnerabilities, which comprises the following steps: s1, acquiring a detection result; s2, extracting all scene information related to the security hole; s3, extracting all scene information of the checked application system; s4, starting an audit mark analysis engine, wherein the audit mark analysis engine analyzes security vulnerability information in the detection result through the scenerization information; obtaining analysis data of each security hole; s5, matching the analysis data of the security hole with an audit mark rule, and when the analysis data of the security hole is matched with the audit mark rule, indicating that the current security hole meets the audit mark condition, and performing marking operation; s6, judging whether each security hole meeting the audit mark condition needs to be repaired or not, so as to obtain a judging result; and S7, classifying according to the judging result to finally form security vulnerability audit mark item data.
Description
Technical Field
The invention relates to the field of information security, in particular to an automatic audit method for source code security vulnerabilities based on scene data.
Background
With the development of the Internet and information technology, the universal interconnection, the intellectualization and the digital age have come. Security of various software application systems is also becoming more and more important. The concept of DevSecOps is fully popular in the software development industry. The SAST-source code security testing tool becomes an important means for detecting and finding security holes of application systems, and products of SAST at home and abroad are also layered endlessly. The source code security testing tool can comprehensively find security holes on a code layer, but because reported holes are various in types and huge in quantity, thousands of pieces of hole information are frequently used, security auditors do not have places to go down, a large number of repeated works are carried out, the auditors cannot carry out effective security audit, the tools are directly considered to report high errors, detection results are invalid, SAST products are even refused to be used, and huge risks and challenges are brought to software application security assurance and security hole repair.
On the other hand, a large amount of scene data which can be used for audit is provided in the SAST product, and for the scene information of the loopholes, such as: the detailed type, level, generated entry point function, file name, file path, start function of passing value and function of process, all logical operands in passing value, detection engine type, etc. For the scene information of the tested system, such as the type, the security requirement level, the quality requirement level, the actual application scene, whether to follow the industry standard, whether to use a security verification framework and the like, the information can well judge the harmfulness, the effectiveness and the repair necessity of a vulnerability, but the data information is not utilized in the current auditing process; therefore, an auditing method can be researched to efficiently and accurately carry out automatic auditing and marking operation on thousands of security hole data by utilizing the scene information, so that the auditing efficiency of the security hole information is improved.
Disclosure of Invention
The invention aims to solve the problems and provides an automatic auditing method for source code security vulnerabilities based on scene data, which is used for improving auditing efficiency.
In order to achieve the above object, the technical scheme of the present invention is as follows:
a source code security vulnerability automatic auditing method based on scene data comprises the following steps:
s1, acquiring a detection result of a SAST source code security test product;
s2, acquiring description information of the security hole in the detection result, and extracting all scene information related to the security hole by dividing scenes generated by the security hole;
s3, acquiring related information of the checked application system in the checked source code file, and extracting all scene information of the checked application system from the related information by an application system scene information extraction engine;
s4, starting an audit mark analysis engine, wherein the audit mark analysis engine analyzes the security hole information in the detection result through all scene information related to the security hole and all scene information of the detected application system to obtain analysis data of each security hole;
s5, formulating an audit mark rule, matching analysis data of the security vulnerability with the audit mark rule, and when the analysis data of the security vulnerability is matched with the audit mark rule, indicating that the current security vulnerability meets the audit mark condition, and executing the mark operation on the security vulnerability;
s6, judging whether each security hole meeting the audit mark conditions needs to be repaired or not after all security holes meeting the audit mark conditions are marked, so that a judging result is obtained;
and S7, classifying all security vulnerabilities meeting the audit mark conditions according to the judgment result, and finally forming security vulnerability audit mark item data.
Further, in the step S2, all the scenerising information related to the security hole includes, but is not limited to: the method comprises the steps of a vulnerability type, a vulnerability level, a directory where the vulnerability is located, a file where the vulnerability is located, function names of a vulnerability starting position, a vulnerability value transmission process function name list, the number of all logic operations in a vulnerability value transmission process, an analysis engine name for finding the vulnerability and a rule ID for analyzing and obtaining the vulnerability.
Further, in the step S3, all the scenerization information of the examined application system includes, but is not limited to: the system type, the security level of the system, the security standard followed by the system, the application scope of the system, the development framework of the system, whether the system has a unified external data verification mechanism, whether the system has last online test, whether the database data of the system is trusted data, whether the environment variable data of the system is trusted data, whether the system complies with national commercial password requirements, and the like.
Further, all the scenerization information related to the security hole extracted in the step S2 and all the scenerization information of the tested application system extracted in the step S3 are stored in a Key-Value (Key-Value) format.
Further, in step S7, the security vulnerability audit tag item data includes an audit item and a tag item, where the audit item may be briefly classified into: has the advantages of relieving measures, no need of repair, availability, false alarm and the like; marking items includes ignoring, temporarily ignoring, completing a repair within a certain time, repairing immediately, etc.
Compared with the prior art, the invention has the advantages and positive effects that:
the invention constructs an automatic audit method of the security holes of the source codes based on scene data, which can automatically audit and mark the security holes detected by SAST source code security detection products, reduces a large number of repeated audit works of security auditors, has an efficient and rapid vulnerability marking processing mode, automatically marks and eliminates false alarm problems through conditions, and effectively improves the audit efficiency of the security holes; meanwhile, the security hole which is harmful to the system security can be marked, so that the security protection navigation of the application system developed and used by enterprises can be ensured; on the other hand, the invention has simple operation, can be used by common business personnel through simple training, and has popularization and use by utilizing the market; and the applicability of the system can be continuously enhanced only by adding new audit mark rules by a user, so that the use effect of the system is further improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a block diagram of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, modifications, equivalents, improvements, etc., which are apparent to those skilled in the art without the benefit of this disclosure, are intended to be included within the scope of this invention.
As shown in fig. 1, the invention discloses an automatic audit method for security vulnerabilities of source codes based on scene data, which comprises the steps of extracting scene information data of an application system to be tested and scene information data of each security vulnerability in a test result, formatting the scene data, analyzing the scene data in a Key-Value (Key-Value) form through an audit mark analysis engine, and loading audit mark rules to analyze whether keys (Key) and values (Value) meet one rule in the audit mark rules or not, and judging that an audit mark item is added to the current vulnerability according to the scene information data; the whole detection result is marked by traversing all security vulnerabilities and executing an audit marking task.
The specific operation steps of the invention are as follows:
1. inputting a detection result of a SAST source code security test product;
2. and acquiring relevant information of the loopholes, and extracting all scene information related to the loopholes through a loophole scene information extraction engine to form a Key-Value (Key-Value) format. Vulnerability scenario information is shown in the following table:
3. and acquiring the related information of the application system, extracting all the scene information of the tested application system through an application system scene information extraction engine, and forming a Key-Value format. The scenario information of the application system is shown in the following table:
4. starting an audit mark analysis engine, and analyzing each piece of vulnerability information through the scene information in the Key-Value (Key-Value) format; the audit mark engine mainly uses a regular expression to analyze Key (Key) and Value (Value) information data generated by the extraction engine, then matches each audit mark rule loaded in the subsequent step, and if the Key and the Value are matched, the current vulnerability is proved to meet the audit mark condition, and audit mark operation is carried out;
5. loading an audit mark rule, wherein the audit mark rule is composed of an audit mark condition component and an audit mark item component, and the audit mark rule is shown in the following table:
6. after the audit mark is finished, judging whether the current vulnerability is to be repaired or not, and finally carrying out classification statistics to form audit mark item data; when the system is counted, the mark item of the loophole in the audit mark rule is marked as audit mark item data,
the audit trail is composed of an audit trail and a marking trail, and is shown in the following table:
the invention constructs an automatic audit method of the security holes of the source codes based on scene data, which can automatically audit and mark the security holes detected by SAST source code security detection products, reduces a large number of repeated audit works of security auditors, has an efficient and rapid vulnerability marking processing mode, automatically marks and eliminates false alarm problems through conditions, and effectively improves the audit efficiency of the security holes; meanwhile, the security hole which is harmful to the system security can be marked, so that the security protection navigation of the application system developed and used by enterprises can be ensured; on the other hand, the invention has simple operation, can be used by common business personnel through simple training, and has popularization and use by utilizing the market; and the applicability of the system can be continuously enhanced only by adding new audit mark rules by a user, so that the use effect of the system is further improved.
Claims (5)
1. A source code security vulnerability automatic auditing method based on scene data is characterized in that: the method comprises the following steps:
s1, acquiring a detection result of a SAST source code security test product;
s2, acquiring description information of the security hole in the detection result, and extracting all scene information related to the security hole by dividing scenes generated by the security hole;
s3, acquiring related information about an application system in the detected source code file, and extracting all scene information of the detected application system from the related information by an application system scene information extraction engine;
s4, starting an audit mark analysis engine, wherein the audit mark analysis engine analyzes the security hole information in the detection result through all scene information related to the security hole and all scene information of the detected application system to obtain analysis data of each security hole;
s5, formulating an audit mark rule, matching analysis data of the security vulnerability with the audit mark rule, and when the analysis data of the security vulnerability is matched with the audit mark rule, indicating that the current security vulnerability meets the audit mark condition, and executing the mark operation on the security vulnerability;
s6, judging whether each security hole meeting the audit mark conditions needs to be repaired or not after all security holes meeting the audit mark conditions are marked, so that a judging result is obtained;
and S7, classifying all security vulnerabilities meeting the audit mark conditions according to the judgment result, and finally forming security vulnerability audit mark item data.
2. The automated audit method for source code security vulnerabilities based on scenario data of claim 1, wherein: in the step S2, all the scenerising information related to the security hole includes, but is not limited to: the method comprises the steps of a vulnerability type, a vulnerability level, a directory where the vulnerability is located, a file where the vulnerability is located, function names of a vulnerability starting position, a vulnerability value transmission process function name list, the number of all logic operations in a vulnerability value transmission process, an analysis engine name for finding the vulnerability and a rule ID for analyzing and obtaining the vulnerability.
3. The automated audit method for source code security vulnerabilities based on scenario data of claim 2, wherein: in the step S3, all the scenerization information of the examined application system includes, but is not limited to: the system type, the security level of the system, the security standard followed by the system, the application scope of the system, the development framework of the system, whether the system has a unified external data verification mechanism, whether the system has last online test, whether the database data of the system is trusted data, whether the environment variable data of the system is trusted data, and whether the system complies with the national commercial password requirement.
4. The automated audit method for source code security vulnerabilities based on scenario data of claim 3, wherein: and in the step S2, all the scene information which is extracted and related to the security hole and all the scene information which is extracted and related to the checked application system in the step S3 are stored as a key-value format.
5. The automated auditing method for source code security vulnerabilities based on scenario data of claim 4, wherein: in the step S7, the security vulnerability audit tag item data includes an audit item and a tag item, where the audit item may be briefly classified into: the method has the advantages of relieving measures, no need of repair, availability and false alarm; marking items includes ignoring, temporarily ignoring, completing repair within a certain time, repairing immediately.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210079783.1A CN116383031A (en) | 2022-01-24 | 2022-01-24 | Automatic audit method for source code security vulnerabilities based on scene data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210079783.1A CN116383031A (en) | 2022-01-24 | 2022-01-24 | Automatic audit method for source code security vulnerabilities based on scene data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116383031A true CN116383031A (en) | 2023-07-04 |
Family
ID=86971732
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210079783.1A Pending CN116383031A (en) | 2022-01-24 | 2022-01-24 | Automatic audit method for source code security vulnerabilities based on scene data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116383031A (en) |
-
2022
- 2022-01-24 CN CN202210079783.1A patent/CN116383031A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Pang et al. | Predicting vulnerable software components through deep neural network | |
| US10303874B2 (en) | Malicious code detection method based on community structure analysis | |
| US11418485B2 (en) | Pattern-based malicious URL detection | |
| CN113032792B (en) | System business vulnerability detection method, system, equipment and storage medium | |
| CN104735074A (en) | Malicious URL detection method and implement system thereof | |
| EP3566166B1 (en) | Management of security vulnerabilities | |
| CN113098887A (en) | Phishing website detection method based on website joint characteristics | |
| Lal et al. | Logopt: Static feature extraction from source code for automated catch block logging prediction | |
| CN107368592B (en) | Text feature model modeling method and device for network security report | |
| CN115292674A (en) | Fraud application detection method and system based on user comment data | |
| CN106790025B (en) | Method and device for detecting link maliciousness | |
| CN110598397A (en) | Deep learning-based Unix system user malicious operation detection method | |
| CN111581110B (en) | Service data accuracy detection method, device, system and storage medium | |
| CN113434855A (en) | Security event processing method and device and readable storage medium | |
| CN110019762B (en) | Problem positioning method, storage medium and server | |
| CN109918638B (en) | Network data monitoring method | |
| CN105808602B (en) | Method and device for detecting junk information | |
| CN112016317A (en) | Sensitive word recognition method and device based on artificial intelligence and computer equipment | |
| CN116383031A (en) | Automatic audit method for source code security vulnerabilities based on scene data | |
| KR20220116410A (en) | Security compliance automation method | |
| CN111934949A (en) | Safety test system based on database injection test | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| CN115935359B (en) | File processing method, device, computer equipment and storage medium | |
| CN112187768B (en) | Method, device and equipment for detecting bad information website and readable storage medium | |
| CN115118498B (en) | Vulnerability data analysis method and system based on relevance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |