Vulnerability detection tool credibility verification method and system

Abstract

The invention relates to a vulnerability detection tool credibility verification method and system. The method comprises the following steps: a function point test request is sent to a test target based on a test end browser; the manual detection tool intercepts a data packet of the test request, and a security engineer performs manual detection according to a vulnerability detection strategy to obtain a first detection result of a corresponding function point; the automatic detection tool obtains a mirror image data packet of the test request, and performs vulnerability detection on a function point corresponding to the mirror image data packet according to a preset detection strategy to obtain a second detection result; the first detection result is compared with the second detection result; and the credibility of the function point vulnerability detection is determined by the automatic detection tool according to the comparison result. According to the method, the automatic vulnerability detection tool is verified based on the manual detection result, only a security engineer needs to confirm when necessary, excessive manual participation is not needed, the influence of human factors is small, and the verification efficiency is high.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and system for verifying the credibility of a vulnerability detection tool. Background technique [0002] In the information age, network information security is always the top priority for enterprises and individuals. Whether it is hardware, software or protocol, when there are defects or the system security strategy is insufficient, a loophole will be formed, and the attacker can use the loophole to access or destroy the system without authorization, causing the information system to be attacked by Trojan horses, worms or Control, data leakage, data tampering, deletion, etc., which will bring immeasurable losses to individuals and enterprises, especially some Internet companies, in order to ensure the normal operation of online business and protect the security of user information, usually equipped with security Engineers conduct security inspections on onlin...

AI Technical Summary

Problems solved by technology

[0003] First, the influence of human factors is large

Due to factors such as the working status of security engineers, security knowledge reserves, and understanding of test items, it is impossible to ensure that the security testing strategy is well implemented and the full coverage of the business functions to be tested

In addition, different businesses may adopt different development frameworks, such as native PHP mode, self-written mode based on MVC framework, third-party framework mode, etc. Different development frameworks have different testing strategies, so security engineers need to load corresponding test strategy, but in the actual operation process, security engineers may not pay attention to this, resulting in invalid detection of security test strategy loading errors

[0004] Second, the effectiveness of detection tools needs to be improved

At present, the commonly used automated application risk scanners in the security testing process, such as Appscan and NSFOCUS Jiguang, can only cover some simple security risks based on the request-response model, but cannot cover security vulnerabilities such as permissions and security vulnerabilities that require interaction such as stored XSS

[0005] Third, missed detection

Although the traditional automated scanner crawler can obtain most of the business function points, it cannot obtain highly interactive business function points, and cannot effectively solve the missing detection of business functions

[0006] Fourth, security testing experience and testing strategies cannot be shared

The testing experience and testing strategies of security engineers for historical projects can only be reused in the next test of the same project by self-recording, which cannot be shared among different engineers, and it is impossible to know whether there are missed inspections, which will eventually lead to The test period is long and the results are not reliable

[0007] Fourth, the test environment is limited

Since Party A’s security testing is usually performed on servers in the test environment, such test servers have poor performance and can only support a small number of concurrent test requests. However, mainstream scanners in the market are based on massive attack simulation requests. , cannot be completed in a finite test period

[0008] To sum up, the existing vulnerability detection modes, methods and systems still have a lot of room for improvement

Images