GB/T 39412-2020 English PDFUS$759.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 39412-2020: Information security technology. Audit specification of code security Status: Valid
Basic dataStandard ID: GB/T 39412-2020 (GB/T39412-2020)Description (Translated English): Information security technology. Audit specification of code security Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 41,447 Date of Issue: 2020-11-19 Date of Implementation: 2021-06-01 Quoted Standard: GB/T 15272-1994; GB/T 25069; GB/T 35273-2020 Regulation (derived from): National Standard Announcement No. 26 of 2020 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration Summary: This standard specifies the audit process of code security and typical audit indicators and corresponding verification methods such as security function defects, code implementation security defects, resource use security defects, environmental security defects, etc. This standard is applicable to guide code security audit related work. GB/T 39412-2020: Information security technology. Audit specification of code security---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.Information security technology - Audit specification of code security ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Code Security Audit Specification 2020-11-19 released 2021-06-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee Table of contentsPreface Ⅲ 1 Scope 1 2 Normative references 1 3 Terms, definitions and abbreviations 1 3.1 Terms and definitions 1 3.2 Abbreviations 2 4 Audit overview 2 4.1 Audit Note 2 4.2 Audit Purpose 2 4.3 Timing of Audit 2 4.4 Auditor 3 4.5 Audit Method 3 5 Audit process 3 5.1 Overall process 3 5.2 Audit Preparation 4 5.3 Audit implementation 4 5.4 Audit report 5 5.5 Improve tracking 5 6 Security function defect audit 5 6.1 Data cleaning 5 6.2 Data encryption and protection 8 6.3 Access Control 9 6.4 Log Security 11 7 Code implementation security defect audit 11 7.1 Object-Oriented Program Security 11 7.2 Concurrent Program Security 12 7.3 Function call security 13 7.4 Exception Handling Security 14 7.5 Pointer safety 14 7.6 Code Generation Security 15 8 Resource use security defect audit 15 8.1 Resource Management 15 8.2 Memory Management 16 8.3 Database usage 18 8.4 File management 18 8.5 Network Transmission 19 9 Environmental safety defect audit 19 9.1 Legacy debugging code 19 9.2 Third-party software is safe and reliable 19 9.3 Protect important configuration information 20 Appendix A (Informative Appendix) Code Security Audit Report 21 Appendix B (informative appendix) Code example 22 Reference 37ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. National Engineering Research Center for Information Security Common Technology, Institute of Information Engineering, Chinese Academy of Sciences, National Security Division Technology Evaluation Center, Beijing Information Security Evaluation Center, China Information Security Evaluation Center, China Electronics Standardization Institute, Ministry of Public Security Research Institute, National Computer Network Emergency Technology Coordination Center. The main drafters of this standard. Wang Yanjie, Hu Jianxun, Xu Genwei, Gao Zhenpeng, Yi Pengda, Xiao Shugen, Kang Rui, Huo Wei, Park Aihua, Li Feng, He Jianbo, Liu Guole, Liu Haifeng, Zhao Zhangjie, Li Chenyang, Wang Jiajie, Xin Wei, Sun Yan, Sun Yongqing, Guo Yunyao, Wang Bo, Wu Qian. Information Security Technology Code Security Audit Specification1 ScopeThis standard specifies the audit process of code security, security function defects, code implementation security defects, resource usage security defects, environmental protection Typical audit indicators such as environmental security deficiencies and corresponding verification methods. This standard is applicable to guide code security audit related work.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document. GB/T 15272-1994 programming language C GB/T 25069 Information Security Technical Terms GB/T 35273-2020 Information Security Technology Personal Information Security Specification 3 Terms, definitions and abbreviations 3.1 Terms and definitions The following terms and definitions defined in GB/T 15272-1994, GB/T 25069 and GB/T 35273-2020 apply to this document. 3.1.1 Code security audit codesecurityaudit Perform security analysis on the code to find code security flaws or actions that violate code security specifications. 3.1.2 Security flaw A problem or error in the code that undermines the security capability of the software. 3.1.3 Cross-site scripting The attacker inserts malicious HTML code into the web page, and when the user browses the page, the HTML embedded in the web The code will be executed to achieve the attacker's special purpose. 3.1.4 Buffer overflow Write content beyond its length to the program's buffer, thereby destroying the program stack and causing the program to execute other instructions to obtain the program. Control of the sequence or system. 3.1.5 Deadlock A blocking phenomenon caused by competition for resources or communication between two or more processes during the execution. ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 39412-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 39412-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 39412-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 39412-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
