302 results about "Security testing" patented technology

A method and system for discovering and testing security assets is provided. Based on source definition data describing sources to monitor on the one or more computer networks, an example system scans the sources to identify security assets. The system analyses the security assets to identify characteristics of the server-based applications. The system stores database records describing the security assets and the identified characteristics. The system queries the database records to select, based at least on the identified characteristics, one or more target assets, from the security assets, on which to conduct one or more security tests. Responsive to selecting the one or more target assets, the system conducts the one or more security tests on the one or more target assets. The system identifies one or more security vulnerabilities at the one or more target assets based on the conducted one or more security tests.

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

The invention provides an automatic permeability test system for a WEB system, comprising three layers: a GUI presentation layer for alternating interface with a user, a logical layer as runs of control core, executing scanning and confidence program of the system and associative functions, and a data layer for storing and maintaining kinds of scan rules and configuration information in a task execution process. The system can automatically carry out a penetrating scan or a conventional scan to a WEB station based on a WEB scan task in the GUI layer, analyzing the scan result combined with the relative inserters, finds the possible security problems of the WEB station, and then generates a detecting report for reporting a formed aggregate risk list. The invention is used to perform an automatic security test, is capable of replacing the present manual security test and permeability test, greatly reduces the cost of software security test in software develop at present, and also greatly increases accuracy of security test.

An online marketplace for distributing software applications is established. From the online marketplace, devices are enabled to select respective ones of the software applications and initiate testing of the selected software applications in connection with testing tools operating in respective secure testing environments that shield the devices from potential adverse effects arising from testing the selected software applications. The testing tools generate testing data relating to one or more criteria for certifying the selected software applications. For each of one or more of the selected software applications, a determination is made whether or not to classify the software application as a certified software application based on an evaluation of the testing data generated during the testing of the software applications initiated by a plurality of the devices.

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

A method of security testing a web application is presented. The method identifies a web application to be tested, determines potential security vulnerabilities of the web application, generates one or more security tests for testing the potential vulnerabilities, and executes the security test on the web application. The results of the security testing are then used to make the web application less vulnerable to security attacks.

A system and method for performing security analysis on a software application. In one embodiment, a method includes receiving application architecture information for a software application; and determining an application type based on the application architecture information. The method also includes performing one or more security tests on the software application based on the application type and the application architecture information; and approving the software application to be available in an online marketplace if the software application passes the one or more security tests.

The present disclosure relates to methods for correlating security vulnerability assessment data from a network vulnerability assessment, a static application security test (SAST) assessment and / or a zero day vulnerability metadata source.

The invention discloses a penetration testing method for a GAP isolation and exchange device. The method comprises the concrete steps that (a) policy configuration is tested, wherein according to the working principle, the function and the implementation mode of the tested device, applicable test cases are selected from a preset penetration testing rule base, and test environment parameters are configured; (b) a network attack session is generated, wherein an independent client program and an independent server program are established, hosts in networks at the two ends of the tested device are respectively simulated, afterwards, test plugins corresponding to the test cases are respectively called, and the test environment parameters configured in the step (a) are passed to the test plugins; the test plugins produce corresponding data packets in real time, the data packets are sent through a client or a server, and therefore the network attack session is generated; (c) test results are evaluated, wherein the test results of the test cases are evaluated according to the completion condition of the network attack session and the warning information of the tested device. By the application of the penetration testing method for the GAP isolation and exchange device, automated security testing for the GAP isolation and exchange device can be achieved.

The invention provides a website login brute force crack method and system capable of identifying a verification code. The method comprises the steps of 1, through static webpage analysis, extracting information required for website login; 2, through dynamic webpage analysis, intercepting a login data package submitted to a website server by a client browser; 3, reading a group of user names and passwords from a brute force crack dictionary; 4, obtaining a verification code picture; 5, identifying the obtained verification code picture; 6, filling corresponding parameters in the login data package intercepted in the step 2 with a verification code identification result as well as the user names and the passwords read in the step 3, and submitting the replaced login data package to the website server; and 7, analyzing a website server response, if it is prompted that the verification code is wrong, returning to the step 4; if it is prompted that the user name or the password is wrong, returning to the step 3; and if it is prompted that the login succeeds, recording the user name and the password by which the login succeeds. According to the method and system, a website with a verification code login function can be subjected to automated security testing.

A magnetic resonance method comprises: performing (C1) a magnetic resonance procedure on a calibration subject including an implant device; detecting (C2) a pick-up coil (PUC) signal at least during a radio frequency transmit phase of operation (C1); performing (C3) three dimensional temperature mapping of the calibration subject using a magnetic resonance sequence configured to detect any temperature change induced in any part of the implant device by operation (C1); generating (C4) an unsafe condition criterion (30) for the detected PUC signal based on correlating a PUC signal characteristic detected by operation (C2) with a temperature change detected by operation (C3); performing (M5) the magnetic resonance procedure on a subject containing an implant device; detecting (M6) a PUC signal at least during a radio frequency transmit phase of operation (M5); and monitoring (M7) for an unsafe condition indicated by the PUC signal detected in operation (M6) satisfying the unsafe condition criterion (30).

The invention discloses a testing method for network isolation of cloud platform tenants and belongs to the technical field of computer cloud security testing. The method comprises the following steps: establishing an expectant cloud platform tenant network isolation matrix; acquiring basic information of all tenant networks on tenant control nodes and all computing nodes; acquiring isolation information of networks with three layers or above of all tenant networks on the network nodes; acquiring second-layer isolation information of tenant sub-networks on the network nodes and the computing nodes; acquiring network access information of the tenants and the tenant sub-networks on the computing nodes to generate an actual cloud platform tenant network isolation matrix Ma; comparing the generated cloud platform tenant network isolation matrix Ma with the expectant cloud platform tenant network isolation matrix. The isolating conditions of the tenant networks in the operation environmentare acquired from a bottom layer of the cloud platform network, whether the isolation of the current cloud platform network is abnormal or not is detected in real time, a visual network isolation report is provided for a cloud auditor, and an accountability path is provided for possible security problems of network services of the cloud tenants.

The invention provides a security testing system oriented to the mobile intelligent terminal IPv6 protocol and application of the protocol. The security testing system comprises an attacking end and mobile terminal simulation equipment, wherein the attacking end and the mobile terminal simulation equipment are connected through a mobile internet heterogeneous network based on the IPv6 protocol, and the attacking end is used for scanning ports of the mobile terminal simulation equipment; reading the IPv6 address of the mobile terminal simulation equipment, and receiving an NS message sent by the mobile terminal simulation equipment for performing man-in-the-middle attack testing on the mobile terminal simulation equipment; counterfeiting a server response terminal request packet and distributing disguised IP for performing DHCPv6 attack testing on the mobile terminal simulation equipment; counterfeiting a network packet, and adopting a multi-cast address to enlarge the flow rate for performing DoS attack testing on the mobile terminal simulation equipment; outputting a security testing result according to the man-in-the-middle attack testing, the DHCPv6 attack testing and the DoS attack testing. The security testing system can be used for performing security testing on the mobile intelligent terminal IPv6 protocol and the application of the protocol under the environment of the mobile internet hybrid heterogeneous network based on the IPv6 protocol.

The invention discloses an information security offense and defense drill competition system for the power industry, comprising an experimental platform, an experimental environment customization module and an application scenario customization module. The experimental platform is used for implementing offense and defense drill competition, being connected with the experimental environment customization module and the application scenario customization module, building attacks and carrying out security test, and includes a knowledge base management module, an online learning module and an offense and defense competition module. The experimental environment customization module is used for customizing a comprehensive drill scenario, analyzing malicious codes, and carrying out Intranet penetration and hole mining. The application scenario customization module is used for power information security training, information security offense and defense scenario drilling, industrialized depth customizing, security product testing, security technology researching and security assessment testing. According to the invention, the information security independent control capability, the safety monitoring capability, the notification and warning capability, the emergency disposal capability and the whole-process management control capability of companies can be improved.

The present invention provides a network and data security testing app for mobile devices such as an Apple iPad, which is connected to the Internet via a wireless network. The app downloads and stores one or more network security or data loss test cases from a centralized server, which are then executed on the mobile device. For example, a test case attempts to access predetermined web pages through the wireless network and then determines whether access was granted. In another example, a test case attempts to transmit sensitive data through the network. Results of the test case are displayed on the mobile device and uploaded to the centralized server. The network and data security testing app also identifies whether access was granted to web pages hosting botnets, malicious web exploits, malicious web obfuscation, malicious iframe redirection, and malware files.

The invention discloses a software quality assurance method integrating continuous delivery and automated test, The method provides users with the function of individually customizing the software quality detection pipeline, which is composed of source code configuration, static code scanning, continuous construction, continuous deployment, functional testing, performance testing, compatibility testing and dynamic security testing. By using the software quality assurance system, Testers do not need to build a complex continuous integration and testing environment, and can quickly implement automated testing of each dimension of a project, or predefine a software quality inspection pipeline for automated testing, and provide the overall test results of the entire project, which greatly improves the test efficiency and reduces the complexity of test configuration.

A method for securing a webpage or a webapp processed by a browser executing on a client system, the method comprising the browser executing an instance of white-box protected code, wherein execution of the instance of white-box protected code causes the client system to: generate a message comprising message data for use by a control system to perform one or more security tests, the control system communicably connected to the client system via a network; send the message to the control system to enable the control system to perform the one or more security tests using the message data; receive a response from the control system based, at least in part, on the message; and process the response.

The invention discloses a software security testing system and method based on dynamic taint propagation. The system comprises a taint source marking module (108) used for generating a taint source marking rule, a detector module (110) used for generating a detection rule, a self-correction code module (104) used for dynamically tracing each binary command of software to be tested by using a self-correction code technology, an RING3 virtual machine module (106) used for analyzing each binary command of the software to be tested by using an RING3 virtual machine and analyzing the flowing direction of the data carried by the command so as to realize taint propagation, as well as calling the taint source marking rule to mark a taint source and calling the detection rule to detect each binary command of the software to be tested, and a log module (112) used for outputting related information violating the detection rule. The software security testing system and method provided by the invention can be used for improving the detection rate of software and reducing false alarm rate and missed alarm rate.

The embodiment of the invention provides a security testing method for protocol implementation, and comprises: mapping a protocol specification on which the protocol implementation is based to a first protocol state model; forming a second protocol state model by introducing an illegal state that corresponds to security failure into the first protocol state model; characterizing the testing purposes of the first protocol state model and the second protocol state model by utilizing an assertion; generating a mutated protocol state model by carrying out a mutative operation on the second protocol state model; performing a model test on the mutated protocol state model according to the assertion to generate a testing suite obtained from mapping a counter-example in the mutated protocol state model that violates the assertion; and carrying out a fuzzing test on the protocol implementation by a testing suite to test security holes in protocol implementation. The invented embodiment further provides a corresponding testing device. According to the invented embodiment, efficient and low-cost protocol security test is realized.

The invention discloses a rule-based JavaScript security testing method. A program analysis method in which static analysis and dynamic analysis are combined is utilized for testing the security problem of a JavaScript code in a website and performing feedback, thereby finding out the security problems which comprise JavaScript coding standardization un-qualification and over-site script attack malicious codes. The method comprises the steps of dynamically finding out a JavaScript coding standardization un-qualification problem by means of a DLint tool, then testing the branched parts of a source code by means of an open-source static code standardization testing tool ESLint; then filtering a page which may contain over-site script attack malicious codes in the source code according to JavaScript page characteristics and a preset threshold according to a static analysis method; and then performing dynamic Instrumentation on the filtered page for performing strain analysis by means of a Jalangi frame, thereby determining whether the filtered page contains an over-site script attack. The rule-based JavaScript security testing method effectively improves testing efficiency for code standardization and malicious codes based on miss rate reduction.

Techniques for performing auto-remediation on computer system vulnerabilities in source code are disclosed herein. An application source code representation is scanned to determine any security vulnerabilities and from those vulnerabilities, a set of security patch rules are generated that may be used to automatically remediate the vulnerabilities. One or more of the security patch rules is selected for verification and, once verified may be used to generate a security patch. The security patch may then be automatically applied to the source code representation to produce a patched representation of the application source code with the vulnerability at least partly remediated.

The invention discloses a lightweight method and a system for determining protocol vulnerabilities in an embedded system firmware. The method comprises the following steps: constructing a feature vector by analyzing a protocol and parsing code feature; using the constructed feature vector and a training set to train a support vector machine SVM, determining a protocol parsing code classifier modelfor identifying a protocol parsing module; using the trained protocol parsing code classifier model to identify the protocol parsing module in the firmware image code of a target system; for the identified protocol parsing module, using a dangerous code feature library to quickly scan the suspected vulnerable points of the protocol parsing module; extracting the data source paths of the vulnerable points on the basis of constructing a control flow graph, a control dependency graph, and a data dependency graph; and constructing a multi-type vulnerability mode based on a vulnerable-point-baseddata source path, and determining protocol vulnerabilities in the embedded system firmware by pattern matching. The lightweight method and the system for determining protocol vulnerabilities in the embedded system firmware can provide a technical support for network protocol security, Internet of Things / Industrial Control System security, and security testing.

The invention discloses a security protection performance evaluation method applicable to power wireless private network base stations. The method comprises the steps of establishing a base station security protection performance evaluation system which comprises a terminal, a plurality of base stations, a switch, a security encryption gateway, a core network, a network management server, a network management client and a security access platform; performing a base station remote or local malicious control security test and checking device remote connection condition, manager information, user lists and sensitive operation records; performing a base station physical security protection security test, testing whether a plurality of terminals with the same USIM card are connected with the same base station or not, and testing whether the terminals access each other or not; performing an illegal base station interference test; and performing a pseudo base station attack test and testing whether the terminals are hijacked by a pseudo base station or not. According to the method, the information security threat for the base stations can be reduced, and the base station security protection control capability can be improved.

A system for rating security levels a device according to the characteristics of functions executing within secure hardware components in the device. The security level of a host is placed in a digital certificate along with a corresponding private key at the time of manufacture of a device. The digital certificate can be provided to an inquiring device so that more comprehensive system-wide security levels can be communicated and maintained. When a network uses ticket-based key management protocols, the security rating, or level, is transferred from the certificate to an issued ticket. Inquiring devices can then check security levels of target devices by using certificates or tickets and perform transfers or grant authorizations accordingly. In a preferred embodiment a security ratings system uses six levels of security. The levels are structured according to characteristics of a device's processing. That is, the levels provide information on the amount and type of sensitive processing that can occur in non-secure (or low security) circuitry or components within a device. This gives a better indication of how prone a device is to threats that may be of particular concern in content delivery networks. Additional qualifiers can be optionally used to provide further information about a security level. For example, the degree of handling time management processing within secure hardware and whether a particular codec, watermarks or fingerprints are supported within secure hardware can each be represented by a policy qualifier.

The invention discloses an industrial control security testing system, and an industrial control system. The industrial control security testing system comprises a port status scanning module, a testing case recommending module, and a fuzzy testing engine module, wherein the port status scanning module is used for scanning and acquiring a port status of equipment to be tested, which is used as a port status scanning result; the testing case recommending module is used for searching a preset testing case library for a testing case of a service protocol type matched with the port status scanning result when a port is in an open status according to the port status scanning result; and the fuzzy testing engine module is used for generating testing data according to the testing case obtained through the searching, carrying out variation of the testing data, and sending data obtained through the variation to the equipment to be tested for unknown security vulnerability mining. Therefore, the industrial control security testing system and the industrial control system provided by the invention have the advantages that security testing can be efficiently and automatically completed, so that a user can conveniently and efficiently carry out testing case selection and testing, automatic testing is achieved, and the error rate is extremely low.

The invention provides a barcode information processing method, device and system. The method comprises the following steps of receiving URL (Uniform Resource Locator) information of a target object obtained when a client identifies barcode information and sent by the client running at a terminal through a processing device; according to the URL information, using a security testing tool to carry out the security testing of the target object to obtain security testing results, so that the processing device can send the security testing results to the client. After obtaining the URL information of the target object, the client sends the URL information to the processing device running at the same terminal to carry out the security testing without executing corresponding operations directly according to the URL information, so that the security of barcode information processing is improved.

The invention relates to a circuit security testable design method capable of detecting an inactive hardware Trojan horse and a detecting method for the hardware Trojan horse. Firstly, the design and the verification on an original circuit are completed. Secondly, a security testing mode is added for the circuit, the clock frequency under the security testing mode is great less than the working frequency of the circuit, and work such as corresponding compositing, locating and wiring, timing sequence analyzing and designing is finished. In the chip testing process, the security testing mode is in use, and by means of a security testing clock with the using frequency which is great less than a functional clock, the dynamic power consumption during whole circuit running is lowered, so that the proportion of the static power consumption of the hardware Trojan horse in an idle state on the whole circuit power consumption is increased, and detecting on the hardware Trojan horse which is in a sleep mode is achieved.

The invention relates to the technical field of information security, and provides a security testing method and a security testing system. The security testing method comprises the following steps: establishing a soft fault simulation platform; based on the soft fault simulation platform and with the combination of fault injection attack of an encryption algorithm, screening a register with fault sensitivity; inserting the screened register into a scanning chain, simulating fault injection attack in a testing mode, and comparing the testing result with a pre-stored reference value to determine the security property of a circuit. The security testing method and the security testing system are applicable to in-batch testing on crypto chips, and the security property of the crypto chips can be effectively improved.