A Primer in Software Security Testing (Part 1)

skinapi

链接请见：
http://www.logigear.com/newslett ... _testing_part-1.asp

A Primer in Software Security Testing (Part 1)
Hung Nguyen, CEO, President and Founder, LogiGear Corporation
In the past few years, software security and software security testing have become some of the hottest topics in software development. Large companies including Microsoft and government institutions have invested huge sums of time and money to improve the security of their software, with mixed results.

Software security is a responsibility that crosses department lines. At a minimum, your development, testing, and IT staff should all be considering security as they build, test, and deploy applications for your company. This article, the first in a series, will introduce the key concepts of software security, and then highlight some important considerations when it comes to software security testing.

What is Computer Security?

Computer security is a combination of many protective measures taken to ensure the safety of the data and resources of both the owners and the users of the computer systems. It involves both keeping private information safe and preventing loss of resources

When it comes to computer security risks, we tend to think of rogue hackers operating independently and breaking into corporate networks to steal data. While computer security is concerned with these 'active' attacks from external sources, it also must address internal abuse and inadvertent loss of information.

While the threat of an attack from a hacker who is looking to steal data or wreak havoc is very real, it's equally real that company is likely to face the risks due to a failure to enforce restrictions on access to the data based on the authorization level of the user. For example, not all internal employees need access to the same data. Providing complete access to all employees' health information to everyone in the Human Resources department is a security risk. In this case the application must provide varying access to the data, based on the privileges (security authorization) of the user. The system must also authenticate the user to verify their identity within the computer system. Therefore, in testing for software security, you should look into other dimensions such as design, policy, configuration, error detection and handling, and so on.

How is Security Testing Different from Other Types of Software Testing?

As opposed to more conventional testing methods such as functional testing, the objective of software security testing is to expose the system's security defense failures by seeking out and showing its vulnerabilities, rather than to prove that a feature or a defensive mechanism works correctly.

Security testing requires:
1、Software testing knowledge
2、Platform knowledge
3、Application domain knowledge
4、Computer security knowledge
5、Programming skills

Security testing is focused on attack-based testing and exploratory testing, rather than the more traditional focus on functionality and requirements-based testing. Security testing is focused on active, negative tests, rather than passive, positive tests. It means that you are focusing on exploiting vulnerabilities of a system, getting around the normal thinking of a designer so that you will be able to get the software to do what it was not designed to do.

From the perspective of a tester, security testing can be one of the most fun and rewarding parts of the job. You no longer have to justify to others that the success of your work is measured by how effective you are in breaking things. You get a free license to do so!

The second part of this article will appear next month, and will highlight what aspects of your software and computer network must be tested for security purposes

983221wy

那位大侠翻译一下吧！！！！

elisha

sdlkfj
在过去几年中，软件安全性和软件安全性测试在软件开发过程中已成为了热门话题。包括微软在内的一些大公司和政府机构都投入了大量时间和资金以改进其软件的安全性，而结果各不相同。

软件安全性是软件业界的一项职责。至少，在为你的公司建立、测试和配置应用程序的时候，开发人员、测试人员和IT人员都应考虑其安全性。这篇文章，即此系列的第一部分，将介绍软件安全性的核心概念，当涉及软件安全性的测试时，会重点强调一些重要的事项。

brilliantking

A Primer in Software Security Testing (Part 1)
软件安全测试初步（第一部分）

Hung Nguyen, CEO, President and Founder, LogiGear Corporation

In the past few years, software security and software security testing have become some of the hottest topics in software development. Large companies including Microsoft and government institutions have invested huge sums of time and money to improve the security of their software, with mixed results.
软件安全与软件安全测试在过去几年中已经成为软件开发领域中的热门话题之一。包括微软在内的大公司，以及政府机构投入了大量的时间和资金来改进其软件的安全性能，效果却参差不齐。

Software security is a responsibility that crosses department lines. At a minimum, your development, testing, and IT staff should all be considering security as they build, test, and deploy applications for your company. This article, the first in a series, will introduce the key concepts of software security, and then highlight some important considerations when it comes to software security testing.
软件安全是各部门共担的一项职责。从最小的方面说，当你的公司在开发，测试以及发布一个应用软件时，相应的开发人员，测试人员和IT服务人员都应该考虑软件安全问题。本文作为连载的第一部分，将首先介绍软件安全的几个重要概念，然后讨论软件安全测试的一些问题。

What is Computer Security?
什么是计算机安全？

Computer security is a combination of many protective measures taken to ensure the safety of the data and resources of both the owners and the users of the computer systems. It involves both keeping private information safe and preventing loss of resources.
计算机安全是许多安全措施的总称，这些安全措施用来保障计算机系统的所有者与用户的数据与资源的安全。计算机机安全包括保护私有信息的安全与防止资源的丢失。

When it comes to computer security risks, we tend to think of rogue hackers operating independently and breaking into corporate networks to steal data. While computer security is concerned with these 'active' attacks from external sources, it also must address internal abuse and inadvertent loss of information.
提到计算机安全风险，我们常常会想到无赖一样的黑客私下进行操作并且侵入公司网络来偷取数据的一幕。尽管计算机安全涉及到了这些来自外部的“主动”攻击，内部的破坏与无意的数据流失亦在计算机安全的范畴内。

While the threat of an attack from a hacker who is looking to steal data or wreak havoc is very real, it's equally real that company is likely to face the risks due to a failure to enforce restrictions on access to the data based on the authorization level of the user. For example, not all internal employees need access to the same data. Providing complete access to all employees' health information to everyone in the Human Resources department is a security risk. In this case the application must provide varying access to the data, based on the privileges (security authorization) of the user. The system must also authenticate the user to verify their identity within the computer system. Therefore, in testing for software security, you should look into other dimensions such as design, policy, configuration, error detection and handling, and so on.
出于窃取数据或发泄怒火的目的，一个黑客会对公司的计算机安全构成威协，同样地，公司也可能因为无法通过用户权限级别来加强数据访问的约束而面临威协。比如说，由于并非所有的内部职员都需要访问同一类数据，人力资源部的任何一个成员都可以访问所有员工的健康状况数据这就是一个安全风险。这种情况下，应用软件必须根据用户的权限（安全授权）提供对数据的不同的访问级别。软件系统还必须鉴别用户以确认他们在计算机系统内部的标识。因此，在软件安全测试中，你就应该考虑其他的方面，比如设计、策略、配置、错误检测与处理、等等。

How is Security Testing Different from Other Types of Software Testing?
软件安全测试与其他类型的测试有何不同？

As opposed to more conventional testing methods such as functional testing, the objective of software security testing is to expose the system's security defense failures by seeking out and showing its vulnerabilities, rather than to prove that a feature or a defensive mechanism works correctly.
与功能测试等较常规的测试方法相反，软件安全测试的目的是通过查找与显示软件系统的薄弱环节来找到系统在安全预防方面的缺陷，而不是为了证明软件一个安全特性或一个安全防御机制运行正确。

Security testing requires:
1、Software testing knowledge
2、Platform knowledge
3、Application domain knowledge
4、Computer security knowledge
5、Programming skills
软件安全测试工作要求具备:
1.软件测试的知识
2.开发平台方面的知识
3.应用域方面的知识
4.计算机安全方面的知识
5.编程技能

Security testing is focused on attack-based testing and exploratory testing, rather than the more traditional focus on functionality and requirements-based testing. Security testing is focused on active, negative tests, rather than passive, positive tests. It means that you are focusing on exploiting vulnerabilities of a system, getting around the normal thinking of a designer so that you will be able to get the software to do what it was not designed to do.
软件安全测试的重点是基于攻击测试与探索式测试，而非较传统的功能测试和基于需求的测试。软件安全测试强调主动式和负面测试，而非被动式和正面测试。这意味着你的精力应集中于发现系统的薄弱环节，应在软件设计人员的正常思路之外思考，如此才能驱使软件执行设计所没有的操作。

From the perspective of a tester, security testing can be one of the most fun and rewarding parts of the job. You no longer have to justify to others that the success of your work is measured by how effective you are in breaking things. You get a free license to do so!
从测试人员的角度出发，软件安全测试可能是工作中最富有乐趣，报酬最高的一部分了。平常你的业绩要通过测试的有效性来证明。而在软件安全测试中，你不必再这样做了。你可以自由地去糟蹋软件了！
The second part of this article will appear next month, and will highlight what aspects of your software and computer network must be tested for security purposes .
本连载文章的第二部分将在下个月刊出，着重讨论软件系统和计算机网络系统的哪些方面应进行安全测试。

brilliantking

自己顶，呵呵！

skinapi

加分加精鼓励，呵呵。

sailorbs

我会一直顶到月下西楼

李逍遥

ding !

szhu

喜欢看你的翻译。 觉得翻译要做到同时词尽与意尽是不容易的。

如果不介意的话， 看看这样是否合理？

From the perspective of a tester, security testing can be one of the most fun and rewarding parts of the job. You no longer have to justify to others that the success of your work is measured by how effective you are in breaking things. You get a free license to do so!


你无需再向别人解释你的业绩是以如何有效地破坏软件来衡量的。

[ 本帖最后由 szhu 于 2006-6-12 20:46 编辑 ]

lix7411

While computer security is concerned with these 'active' attacks from external sources, it also must address internal abuse and inadvertent loss of information.
尽管计算机安全涉及这些来自外部的“主动”攻击，我们亦应防止来自内部的滥用和无意中造成的数据丢失。

wangfeng25

都是外语高手啊