51Testing软件测试论坛

标题: A Primer in Software Security Testing (Part 2) [打印本页]

作者: skinapi    时间: 2006-5-13 18:24
标题: A Primer in Software Security Testing (Part 2)
链接请见:
http://www.logigear.com/newslett ... _testing_part-2.asp

In last month's newsletter, I introduced the notion of computer security, and explained how security testing is different from other types of software testing. This month, I'll explain what we want to secure, as well as where and how security is implemented.

What Are We Trying to Secure?

First and foremost, we are trying to secure the data stored within our applications and network resources. This can further be broken down into:

1、Data integrity: Ensuring that business transaction data is not altered or corrupted. If something has been changed or modified since it was created, verifying that the changes are legitimate.
2、Confidentiality: Ensuring unauthorized access to information will be denied.
3、User Data Privacy: Web sites and applications should have a privacy statement that defines how user information will be handled. User's private data should be protected from potential access and misuse.
4、Securing Intellectual Property: Ensuring that assets such as business intelligence, source code, and any data related to intellectual property are safeguarded.
5、Availability: Ensuring that data availability is as expected. A denial-of-service attack or natural disasters are examples of data availability threats.

A good security policy should also address the security of resources, including computing power and storage space. Hackers may attempt to use these resources for purposes such as hosting illegitimate download sites, or other resource-intensive activities.

Where and how do we secure it?

Today's applications and networks consist of many different hardware and software components. If the security of any of these components is compromised, it may affect the security of the rest of the network. Security policies can be broken down into the following areas:

1、Host-based: securing data at the individual computer level. These computers can be part of the private network such as a LAN behind the firewall, which are protected from outsiders; or they might be placed in a public network such as the Internet, which exposes them to un-trusted users.
2、Private network-based: securing data and resources at the private network level. Requiring a VPN connection to access resources is an example of this.
3、Perimeter-based: securing data and resources at the private network entrances. An example of perimeter-based protection is the use of a firewall.
4、Public network-based: securing the data transferred across a public network, like Internet Encryption technology is an example of safeguarding data from attackers on a public network.
5、Application-based: securing the applications from exposure to threats due to vulnerabilities in the applications. The common causes for these vulnerabilities are poor programming practices and software configuration errors. There are many common application-level security issues which can lead to security breaches, including buffer overflows and SQL injection.

In order to develop effective security policies and security testing, you must first understand the components that make up your network. Once you have this understanding, you must analyze the security risks of each component, and determine how that will affect your security policy and testing.

Next month's article will be the final part in this series, and will discuss who is responsible for security and security testing, and where you can find more resources on security testing.
作者: WUHA    时间: 2006-5-14 22:38
8错
作者: hayerk    时间: 2006-5-16 00:14
尝试翻译了一下:

软件保密性测试初探(2)

         在上个月的通讯稿中,我介绍了软件保密性的概念,并且解释了保密性测试与其他类型的软件测试有何不同。这个月,我将对保密的目标和实现方式进行介绍。

我们将对什么进行保密?
         首先,我们想对存储在我们的程序和网络资源中的数据进行保密,这可以细分为:
1。数据完整性:保证交易事务数据没有被修改或损坏。如果数据在产生之后被改变了,应该确认这些改变是合法的。
2.机密性:保证对信息的未授权访问会得到拒绝。
3.用户数据私密性:网站和程序应该有一个私密性声明,明确说明用户数据会得到怎样的处理。用户私密数据应该得到严格保护,以免被非法访问和误用。
4.知识产权:应该保证交易方式、源代码以及其他任意与知识产权有关的数据都得到保护。
5.可用性:保证达到期望的数据可用性。服务拒绝攻击或自然灾害是威胁数据可用性的例子。
一个好的保密性措施也应该说明保密性资源,包括计算能力和存储空间。黑客们可能试图使用这些资源来提供非法下载站点,或是其他对资源要求严格的活动。

何处进行保密?怎样进行保密?
        现今的应用程序和网络包含了大量不同的硬件和软件组件。如果任意这些组件的保密性受到威胁,那么网络其他部分的保密性都会受到影响。保密性措施能被分解为以下几个领域:
1.基于主机:在单台计算机这个层次对数据进行保密。这些计算机可能是私有网络(例如防火墙后的局域网)的一部分,也可能是公有网络(例如互连网)上的单台计算机。前者会受到保护以免被外界攻击,后者则是暴露在不可信用户面前。
2.基于私有网络:对私有网络中的数据和资源进行保密。为了访问资源需要一个VPN是一个例子。
3.基于公有网络:对公有网络中传输的数据进行保密,例如互连网密码技术是在公有网络上保护收据不受攻击的例子。
4.基于应用程序:保护应用程序不会因为程序本身的弱点而暴露在威胁之下。引起这些弱点的共同原因是编程太差和软件配置错误。有很多应用程序级别的普通保密问题会引起打破保密性,包括缓冲溢出和嵌入SQL。

        为了开发有效的保密性措施和保密性测试,你首先应该理解组成网络的各个部件。在你有了这种理解之后,你必须分析每个部件的保密性风险,并确定这种风险会怎样影响保密性措施和保密性测试。

        下个月的文章将会是本系列文章的最后一篇。在那篇文章中,我将讨论谁应该为保密性和保密性测试负责,以及你怎样才能找到更多关于保密性测试的资源。
作者: hayerk    时间: 2006-5-16 00:18
我觉得security翻译成保密性更合适一些,而安全性应为safty。

security应该更关注信息安全,而safty更关注系统失效引发的后果(例如飞机上的控制软件失效引起机毁人亡)。
作者: skinapi    时间: 2006-5-16 11:27
翻译的不错,加分鼓励了。
作者: hayerk    时间: 2006-5-16 22:13
谢谢斑竹鼓励
作者: donghuanzi    时间: 2006-5-18 15:36
标题: 不错。下次我也翻译一个。
等下一次了。
作者: 李逍遥    时间: 2006-6-12 18:20
不错!




欢迎光临 51Testing软件测试论坛 (http://bbs.51testing.com/) Powered by Discuz! X3.2