Software Security Defect Discovery System

Abstract

The invention discloses a software safety defect discovery system. The invention can carry out static analysis, behavior monitoring, fuzzy test and penetration test on the software to be tested, the test mode is perfect, the security defect of the software can be found more perfectly and accurately, and the detection speed is improved. The present invention first performs static analysis, stores the security defect data obtained by it into the defect database according to the set database format, and then uses the behavior monitoring module, the fuzzy testing module and the penetration testing module to respectively detect the security defects obtained by the static analysis module, At the same time, the software under test is also routinely detected, and the system call sequence, fuzzy test case or penetration test case name that causes abnormal system behavior or security problems is stored in the defect database. The invention can realize a complete and powerful defect detection process, the detection process is automatic, and can reduce the use difficulty of security defect testers.

Description

technical field [0001] The invention relates to the technical field of software safety testing, in particular to a software safety defect discovery system. Background technique [0002] At present, there are many kinds of software security defect detection technologies and scattered. The main detection methods are static analysis, behavior monitoring, fuzz testing and penetration testing. However, the above four types of detection methods have completely different detection methods for software. For example, using static analysis to detect software security flaws is usually aimed at the source code of the software, and there are also some tools that can decompile executable files of Java and .NET programs for static analysis. The current static analysis security defect detection tools are all aimed at some mainstream programming languages, and different programming languages ​​have their corresponding static analysis tools. For example, there are CppCheck and Antic for C / C+...

AI Technical Summary

Problems solved by technology

This has resulted in a high learning cost for software security defect detection. For a large-scale project with mixed languages, it is necessary to be proficient in various testing tools to achieve a relatively complete security defect detection. During software development, there is little testing for security flaws

[0007] Secondly, the defect reports generated by existing defect detection tools are difficult to understand and have inconsistent formats. Even if a relatively complete security defect detection is carried out on a software project, it will be very difficult to read all kinds of reports quickly and easily, and Due to the scattered defect reports, it is not convenient to have an overall understanding of software security defects

[0008] Thirdly, current defect detection usually only provides detection and viewing functions, and defect reports still need to be written by hand, which is time-consuming and laborious

[0009] There are very few existing relatively complete security defect discovery systems. At present, although "Software Security Vulnerability Detection Device and Method" (Chinese invention patent application, publication number: CN 102541729A, publication date 2012.7.4) provides fuzzy testing and penetration testing. Defect detection function, and it is equipped with corresponding defect management function to view defects. However, in terms of detecting software security in actual application, the detection results obtained by one or two detection methods are relatively one-sided, which is not enough to reflect the overall security status of the software. The detection results still not perfect

Images