问题

安全性测试

  • 2023年5月23日
  • 2回答
  • 19日视图
H
Userlevel 2
徽章

嗨的社区,我想知道安全测试是如何执行的,以及是否有工具

用于扫描和识别代码中的漏洞的代码。

Hi Community,\u00a0I would like to know how the security testing is performed and Is there any tools which<\/p>

is used to scan the code and identify the\u00a0vulnerabilities in the code.<\/p>

\u00a0<\/p>

\u00a0<\/p>","quoteUsername":"Harish N","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

2回答

一个
Userlevel 5
徽章 + 3

各种方式,但认为它主要是由工具指向被测系统。工具将有一个广泛的可选择的攻击表面扫描,您可以选择。

攻击表面可能包括例如:

  • 电脑打开的端口(8080、443、1521等)
  • 可见电脑如何(是ICMP / PING availalble,防火墙访问&域信任可以看到它)
  • 什么权限集设置——帐户可以访问吗?的部分吗?这些是符合最佳实践(例如操作系统管理员帐户没有密码)
  • 共享文件夹,有读访问,有什么写访问
  • 安装操作系统和软件补丁到目前为止,有已知的漏洞与188金宝搏官网登录app这些软件上市受欢迎,共同安全数据库的攻击在野外吗
  • 对于一个给定的数据库,什么级别的服务器、数据库、表和安全账户权限设置。这些是符合最佳实践(即离开SQL Server ' sa '帐户启用)
  • 对于一个网站的登录页面,将尝试各种攻击工具像进入畸形的SQL用户名&密码字段检查SQLi攻击,畸形的javascript来检查XSS攻击等等

最难的部分不是那么多使用这些工具为你做大部分的东西,它的调查结果和写作结束漏洞调查报告。你需要专家安全测试成员训练有素和经验丰富。这真的不是一个简单的角色&像通用网络安全,这些成员需要不断了解,不断学习新的威胁。

Various ways, but think of it largely as performed by pointing tools at the System Under Test. The tools will have a wide range of selectable attack surfaces known to scan for which you can select.<\/p>

\u00a0<\/p>

Attack surfaces could include for example:<\/p>

  • which ports are open to the computer (8080, 443, 1521 etc.)<\/li>\t
  • how visible the computer is (is ICMP\/PING availalble, firewall access & which domain trusts can see it)<\/li>\t
  • what permission sets are setup - which accounts can access it? parts of it? are these in line with best practices (i.e. OS administrator account with no password)<\/li>\t
  • what folders are shared, what has read access, what has write access<\/li>\t
  • is the OS and installed software patched upto date, are there known vulnerabilities with the these software as listed on popular, common security databases of attacks in the wild<\/li>\t
  • for a given database, what level of server, database, table and security account permissions are setup. Are these in line with best practices (i.e. leaving the SQL Server \u2018sa\u2019 account enabled)<\/li>\t
  • for a website login page, the tools will attempt various attacks like entering malformed SQL in the username & password fields to check for SQLi attacks, malformed javascript to check for XSS attacks and more<\/li><\/ul>

    The hard part isn\u2019t so much using these tools which do most of the stuff for you, it\u2019s investigating the results & writing an end vulnerability findings report. For that you need really expert security testing members who are highly trained & experienced. It\u2019s really not an easy role & like general network security, these members need to be constantly informed, constantly learning of new threats.<\/p>","quoteUsername":"alex_read","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

一个
Userlevel 5
徽章 + 3

有另一套工具的代码可以由开发人员和/或安全测试人员使用。如果你在网络搜索“安全扫描码”或“静态代码分析”,你就可以找到一些通常在IDE中运行

There are another set of tools for the code which can be used by developers and\/or security testers. If you search the web for \u201csecurity scan code\u201d or \u201cstatic code analysis\u201d, you\u2019ll be able to find a few of these which are often run in the IDE<\/p>","quoteUsername":"alex_read","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

回复


ShiftSync条款和条件
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">

金宝搏app官网下载
Baidu
map