299 results about "Security testing" patented technology

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

A method of security testing a web application is presented. The method identifies a web application to be tested, determines potential security vulnerabilities of the web application, generates one or more security tests for testing the potential vulnerabilities, and executes the security test on the web application. The results of the security testing are then used to make the web application less vulnerable to security attacks.

The present disclosure relates to methods for correlating security vulnerability assessment data from a network vulnerability assessment, a static application security test (SAST) assessment and/or a zero day vulnerability metadata source.

The invention discloses a penetration testing method for a GAP isolation and exchange device. The method comprises the concrete steps that (a) policy configuration is tested, wherein according to the working principle, the function and the implementation mode of the tested device, applicable test cases are selected from a preset penetration testing rule base, and test environment parameters are configured; (b) a network attack session is generated, wherein an independent client program and an independent server program are established, hosts in networks at the two ends of the tested device are respectively simulated, afterwards, test plugins corresponding to the test cases are respectively called, and the test environment parameters configured in the step (a) are passed to the test plugins; the test plugins produce corresponding data packets in real time, the data packets are sent through a client or a server, and therefore the network attack session is generated; (c) test results are evaluated, wherein the test results of the test cases are evaluated according to the completion condition of the network attack session and the warning information of the tested device. By the application of the penetration testing method for the GAP isolation and exchange device, automated security testing for the GAP isolation and exchange device can be achieved.

The invention provides a website login brute force crack method and system capable of identifying a verification code. The method comprises the steps of 1, through static webpage analysis, extracting information required for website login; 2, through dynamic webpage analysis, intercepting a login data package submitted to a website server by a client browser; 3, reading a group of user names and passwords from a brute force crack dictionary; 4, obtaining a verification code picture; 5, identifying the obtained verification code picture; 6, filling corresponding parameters in the login data package intercepted in the step 2 with a verification code identification result as well as the user names and the passwords read in the step 3, and submitting the replaced login data package to the website server; and 7, analyzing a website server response, if it is prompted that the verification code is wrong, returning to the step 4; if it is prompted that the user name or the password is wrong, returning to the step 3; and if it is prompted that the login succeeds, recording the user name and the password by which the login succeeds. According to the method and system, a website with a verification code login function can be subjected to automated security testing.

A magnetic resonance method comprises: performing (C1) a magnetic resonance procedure on a calibration subject including an implant device; detecting (C2) a pick-up coil (PUC) signal at least during a radio frequency transmit phase of operation (C1); performing (C3) three dimensional temperature mapping of the calibration subject using a magnetic resonance sequence configured to detect any temperature change induced in any part of the implant device by operation (C1); generating (C4) an unsafe condition criterion (30) for the detected PUC signal based on correlating a PUC signal characteristic detected by operation (C2) with a temperature change detected by operation (C3); performing (M5) the magnetic resonance procedure on a subject containing an implant device; detecting (M6) a PUC signal at least during a radio frequency transmit phase of operation (M5); and monitoring (M7) for an unsafe condition indicated by the PUC signal detected in operation (M6) satisfying the unsafe condition criterion (30).

The invention discloses a testing method for network isolation of cloud platform tenants and belongs to the technical field of computer cloud security testing. The method comprises the following steps: establishing an expectant cloud platform tenant network isolation matrix; acquiring basic information of all tenant networks on tenant control nodes and all computing nodes; acquiring isolation information of networks with three layers or above of all tenant networks on the network nodes; acquiring second-layer isolation information of tenant sub-networks on the network nodes and the computing nodes; acquiring network access information of the tenants and the tenant sub-networks on the computing nodes to generate an actual cloud platform tenant network isolation matrix Ma; comparing the generated cloud platform tenant network isolation matrix Ma with the expectant cloud platform tenant network isolation matrix. The isolating conditions of the tenant networks in the operation environmentare acquired from a bottom layer of the cloud platform network, whether the isolation of the current cloud platform network is abnormal or not is detected in real time, a visual network isolation report is provided for a cloud auditor, and an accountability path is provided for possible security problems of network services of the cloud tenants.

The invention provides a security testing system oriented to the mobile intelligent terminal IPv6 protocol and application of the protocol. The security testing system comprises an attacking end and mobile terminal simulation equipment, wherein the attacking end and the mobile terminal simulation equipment are connected through a mobile internet heterogeneous network based on the IPv6 protocol, and the attacking end is used for scanning ports of the mobile terminal simulation equipment; reading the IPv6 address of the mobile terminal simulation equipment, and receiving an NS message sent by the mobile terminal simulation equipment for performing man-in-the-middle attack testing on the mobile terminal simulation equipment; counterfeiting a server response terminal request packet and distributing disguised IP for performing DHCPv6 attack testing on the mobile terminal simulation equipment; counterfeiting a network packet, and adopting a multi-cast address to enlarge the flow rate for performing DoS attack testing on the mobile terminal simulation equipment; outputting a security testing result according to the man-in-the-middle attack testing, the DHCPv6 attack testing and the DoS attack testing. The security testing system can be used for performing security testing on the mobile intelligent terminal IPv6 protocol and the application of the protocol under the environment of the mobile internet hybrid heterogeneous network based on the IPv6 protocol.

The invention discloses a software quality assurance method integrating continuous delivery and automated test, The method provides users with the function of individually customizing the software quality detection pipeline, which is composed of source code configuration, static code scanning, continuous construction, continuous deployment, functional testing, performance testing, compatibility testing and dynamic security testing. By using the software quality assurance system, Testers do not need to build a complex continuous integration and testing environment, and can quickly implement automated testing of each dimension of a project, or predefine a software quality inspection pipeline for automated testing, and provide the overall test results of the entire project, which greatly improves the test efficiency and reduces the complexity of test configuration.

The invention discloses a software security testing system and method based on dynamic taint propagation. The system comprises a taint source marking module (108) used for generating a taint source marking rule, a detector module (110) used for generating a detection rule, a self-correction code module (104) used for dynamically tracing each binary command of software to be tested by using a self-correction code technology, an RING3 virtual machine module (106) used for analyzing each binary command of the software to be tested by using an RING3 virtual machine and analyzing the flowing direction of the data carried by the command so as to realize taint propagation, as well as calling the taint source marking rule to mark a taint source and calling the detection rule to detect each binary command of the software to be tested, and a log module (112) used for outputting related information violating the detection rule. The software security testing system and method provided by the invention can be used for improving the detection rate of software and reducing false alarm rate and missed alarm rate.

The embodiment of the invention provides a security testing method for protocol implementation, and comprises: mapping a protocol specification on which the protocol implementation is based to a first protocol state model; forming a second protocol state model by introducing an illegal state that corresponds to security failure into the first protocol state model; characterizing the testing purposes of the first protocol state model and the second protocol state model by utilizing an assertion; generating a mutated protocol state model by carrying out a mutative operation on the second protocol state model; performing a model test on the mutated protocol state model according to the assertion to generate a testing suite obtained from mapping a counter-example in the mutated protocol state model that violates the assertion; and carrying out a fuzzing test on the protocol implementation by a testing suite to test security holes in protocol implementation. The invented embodiment further provides a corresponding testing device. According to the invented embodiment, efficient and low-cost protocol security test is realized.

The invention discloses a rule-based JavaScript security testing method. A program analysis method in which static analysis and dynamic analysis are combined is utilized for testing the security problem of a JavaScript code in a website and performing feedback, thereby finding out the security problems which comprise JavaScript coding standardization un-qualification and over-site script attack malicious codes. The method comprises the steps of dynamically finding out a JavaScript coding standardization un-qualification problem by means of a DLint tool, then testing the branched parts of a source code by means of an open-source static code standardization testing tool ESLint; then filtering a page which may contain over-site script attack malicious codes in the source code according to JavaScript page characteristics and a preset threshold according to a static analysis method; and then performing dynamic Instrumentation on the filtered page for performing strain analysis by means of a Jalangi frame, thereby determining whether the filtered page contains an over-site script attack. The rule-based JavaScript security testing method effectively improves testing efficiency for code standardization and malicious codes based on miss rate reduction.

Techniques for performing auto-remediation on computer system vulnerabilities in source code are disclosed herein. An application source code representation is scanned to determine any security vulnerabilities and from those vulnerabilities, a set of security patch rules are generated that may be used to automatically remediate the vulnerabilities. One or more of the security patch rules is selected for verification and, once verified may be used to generate a security patch. The security patch may then be automatically applied to the source code representation to produce a patched representation of the application source code with the vulnerability at least partly remediated.

The invention discloses a security protection performance evaluation method applicable to power wireless private network base stations. The method comprises the steps of establishing a base station security protection performance evaluation system which comprises a terminal, a plurality of base stations, a switch, a security encryption gateway, a core network, a network management server, a network management client and a security access platform; performing a base station remote or local malicious control security test and checking device remote connection condition, manager information, user lists and sensitive operation records; performing a base station physical security protection security test, testing whether a plurality of terminals with the same USIM card are connected with the same base station or not, and testing whether the terminals access each other or not; performing an illegal base station interference test; and performing a pseudo base station attack test and testing whether the terminals are hijacked by a pseudo base station or not. According to the method, the information security threat for the base stations can be reduced, and the base station security protection control capability can be improved.

A system for rating security levels a device according to the characteristics of functions executing within secure hardware components in the device. The security level of a host is placed in a digital certificate along with a corresponding private key at the time of manufacture of a device. The digital certificate can be provided to an inquiring device so that more comprehensive system-wide security levels can be communicated and maintained. When a network uses ticket-based key management protocols, the security rating, or level, is transferred from the certificate to an issued ticket. Inquiring devices can then check security levels of target devices by using certificates or tickets and perform transfers or grant authorizations accordingly. In a preferred embodiment a security ratings system uses six levels of security. The levels are structured according to characteristics of a device's processing. That is, the levels provide information on the amount and type of sensitive processing that can occur in non-secure (or low security) circuitry or components within a device. This gives a better indication of how prone a device is to threats that may be of particular concern in content delivery networks. Additional qualifiers can be optionally used to provide further information about a security level. For example, the degree of handling time management processing within secure hardware and whether a particular codec, watermarks or fingerprints are supported within secure hardware can each be represented by a policy qualifier.

The invention provides a barcode information processing method, device and system. The method comprises the following steps of receiving URL (Uniform Resource Locator) information of a target object obtained when a client identifies barcode information and sent by the client running at a terminal through a processing device; according to the URL information, using a security testing tool to carry out the security testing of the target object to obtain security testing results, so that the processing device can send the security testing results to the client. After obtaining the URL information of the target object, the client sends the URL information to the processing device running at the same terminal to carry out the security testing without executing corresponding operations directly according to the URL information, so that the security of barcode information processing is improved.

The invention relates to a circuit security testable design method capable of detecting an inactive hardware Trojan horse and a detecting method for the hardware Trojan horse. Firstly, the design and the verification on an original circuit are completed. Secondly, a security testing mode is added for the circuit, the clock frequency under the security testing mode is great less than the working frequency of the circuit, and work such as corresponding compositing, locating and wiring, timing sequence analyzing and designing is finished. In the chip testing process, the security testing mode is in use, and by means of a security testing clock with the using frequency which is great less than a functional clock, the dynamic power consumption during whole circuit running is lowered, so that the proportion of the static power consumption of the hardware Trojan horse in an idle state on the whole circuit power consumption is increased, and detecting on the hardware Trojan horse which is in a sleep mode is achieved.

The invention provides an application security testing method, device and system. The method includes the steps that a Hook program is installed on a terminal device, and a calling function to be monitored is configured on the Hook program; when an application runs, the Hook program runs; in the running process of the application, when a calling function matched with the configured calling function is monitored through the Hook program, calling information of the calling function is recorded, wherein the calling information includes input parameters and/or return values; when all controls in the application are traversed, whether information matched with configured matching parameters exits in the recorded calling information of the calling function or not is determined, if yes, it is determined that security flaws exist in the application, and if not, it is determined that the application is secure. By means of the technical scheme, the security testing accuracy of the application can be improved.

The invention discloses an automated testing method, device and system for a task. The method comprises the following steps: acquiring application information of a task to be detected in a task database, and acquiring an installation package of the task to be detected by using the application information; acquiring a test machine which satisfies a testing condition in a test cluster, and obtaining a simulator which is not occupied on the test machine which satisfies the testing condition; transmitting the installation package of the task to be detected to the simulator which is not occupied on the test machine which satisfies the testing condition; after starting an application program of the task to be detected, transmitting security testing data to the application program running in the simulator; and monitoring an output result after the application program of the task to be detected receives the security testing data, and acquiring a security testing result of the task to be detected. The automated testing method, the device and the system for the task provided by the invention solve the technical problem that the safety monitoring efficiency is low since the application program safety monitoring cannot be finished automatically by the application program and the application program does not support multitask detection in the prior art.