|
US$529.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0191-2020: (Software Testing Guide for Securities and Futures Industry Software Security Testing)
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0191-2020 | English | 529 |
Add to Cart
|
4 days [Need to translate]
|
(Software Testing Guide for Securities and Futures Industry Software Security Testing)
| Valid |
JR/T 0191-2020
|
PDF similar to JR/T 0191-2020
Basic data | Standard ID | JR/T 0191-2020 (JR/T0191-2020) | | Description (Translated English) | (Software Testing Guide for Securities and Futures Industry Software Security Testing) | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Word Count Estimation | 21,212 | | Date of Issue | 2020-07-10 | | Date of Implementation | 2020-07-10 | | Regulation (derived from) | CSRC Announcement (2020) No. 40 | | Issuing agency(ies) | People's Bank of China | JR/T 0191-2020: (Software Testing Guide for Securities and Futures Industry Software Security Testing)
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Guide for securities and futures industry software test-Software security testing
ICS 03.060
A11
JR
People's Republic of China Financial Industry Standards
Software Testing Guide for Securities and Futures Industry Software Security Testing
2020-07-10 release
2020-07-10 Implementation
Issued by China Securities Regulatory Commission
Table of contents
Foreword...II
1 Scope...1
2 Normative references...1
3 Terms and definitions...1
4 Software security test content and process...2
5 Software Security Testing Technology...3
6 Basic testing methods for software security testing...7
7 Specific test methods for mobile application security testing...13
Appendix A (Informative Appendix) Software Security Test Template...16
A.1.Software security testing program...16
A.2.Software security test cases...17
A.3.Software Security Test Report...17
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the Securities Technical Committee of the National Financial Standardization Technical Committee (SAC/TC180/SC4).
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAT/TC180).
Drafting organizations of this standard. Information Center of China Securities Regulatory Commission, Dalian Commodity Exchange, Information Technology Testing of Securities and Futures Industry
Center (Dalian), China Securities Information Technology Service Co., Ltd., Shanghai Stock Exchange, Shenzhen Stock Exchange, Shanghai Futures Exchange,
China Financial Futures Exchange, Guotai Junan Securities Co., Ltd., Hang Seng Electronics Co., Ltd., Beijing Bangbang Security Technology Co., Ltd.
Division.
The main drafters of this standard. Yao Qian, Liu Tiebin, Zhou Yunhui, Xu Qiang, Li Xiangdong, Yu Feng, Liu Jun, Sun Ruichao, Liu Jin, Ding Xinjie,
Dong Lin, Xiao Yu, Gao Xinyuan, Gao Fengyuan, Li Tingting, Sha Ming, Xie Ran, Lin Lin, Chen Dongyan, Yang Shuo, Liu Shuqi.
Software Testing Guide for Securities and Futures Industry Software Security Testing
1 Scope
This standard specifies the software security testing objectives and procedures, software security testing techniques,
Basic testing methods for software security testing and specific testing methods for mobile application security testing.
This standard is applicable to guide the market core institutions of the securities and futures industry (hereinafter referred to as core institutions), securities and futures fund management institutions (to
Hereinafter referred to as operating institutions) and securities and futures information technology service institutions (hereinafter referred to as service institutions) to implement computer software and
Security testing of external information systems.
Note 1.Core institutions, such as securities and futures exchanges, securities registration and settlement institutions, futures market monitoring centers, etc.;
Note 2.Operating institutions, such as securities companies, futures companies, fund companies, etc.;
Note 3.Service organizations are software developers, information providers, and service providers.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 20271-2006 Information Security Technology Information System General Security Technical Requirements
GB/T 25069-2010 Information Security Technical Terms
JR/T 0060-2010 Basic requirements for security level protection of information systems in the securities and futures industry (for trial implementation)
JR/T 0067-2011 Securities and Futures Industry Information System Security Level Protection Evaluation Requirements (Trial)
JR/T 0146-2016 (all parts) Guidelines for the Audit of Securities and Futures Industry Information Systems
JR/T 0175-2019 Software Testing Specification for Securities and Futures Industry
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 apply to this document.
3.1
Software security testing
In the life cycle of information system software products, the software products are inspected to verify that the software products meet the security requirements and software production
The process of quality standards.
3.2
Penetration testing
By using unauthorized actions to bypass the security mechanism of a certain system, check the security function of the data processing system to discover the information system
Means to manage security issues.
[GB/T 25069-2010, definition 2.3.87]
3.3
Fuzz testing
The technology of discovering software vulnerabilities by providing unexpected input to the target system and monitoring abnormal results.
3.4
Sensitive information
Once leaked or modified, information that will affect the identified information subject.
Note. Sensitive information in the securities and futures industry includes the customer’s name, customer’s detailed address, customer’s contact phone number, customer ID number, customer’s bank and account number, and
Member transaction status, number of positions held by members, available funds for members, etc.
3.5
Mobile internet application
Application software that is acquired and run on mobile smart terminals through pre-installation, downloading, etc., to provide users with information services.
4 Software security test content and process
4.1 Test content
The content of software security testing includes.
a) Make sure that the safety features of the software are consistent with the expected design;
b) Detect potential vulnerabilities and risks in the software;
c) Verify that the software product can continue to run correctly under malicious attacks and ensure that the software is within the authorized scope
Ability to use law;
4.2 Test process
4.2.1 System analysis
Evaluate the system under test and analyze the components, network topology, system configuration, and security of the system from the perspectives of physical architecture and logical architecture.
Full defense measures and other information.
a) Physical architecture. According to the components used in the system, the physical architecture is obtained, including databases, control components, front-end libraries, and communication
To understand the structure of the system;
b) Logical architecture. According to the business logic of the system, the logical architecture is obtained, and then the data flow inside the system is understood.
4.2.2 Threat analysis
According to the results of system analysis, select an appropriate threat model and analyze the main security threats facing the system. Risk analysis should comply with GB/T
20271-2006.Such as the common data stream-based threat analysis model STRIDE, which contains six dimensions (counterfeiting, tampering, denial, information
The threats of leakage, denial of service, and elevation of privileges are usually combined with data flow diagrams (DFD) to assist STRIDE analysis and divide the system into
Decompose into components and prove that each component is not vulnerable to related threats.
After the system analysis and threat analysis are completed, a security test plan should be produced. The content of the plan includes the physical structure and logic of the system analysis stage.
The structure, as well as the data flow diagram of the threat analysis stage, the technical plan, the implementation plan, etc., the report format can refer to the template output (see
See Figure A.1 in Appendix A).
4.2.3 Develop test cases
Write test cases based on the results of threat analysis. For each data flow diagram decomposed, for each data flow diagram element, map pairs
In response to threats, write test cases. Use cases can refer to the template output (see Figure A.2 in Appendix A).
4.2.4 Test execution
Test execution includes automated tool execution and manual execution. In this process, various automated or manual tests are required.
Test tools. For the test process of each use case, a corresponding operation screenshot is required. If you can obtain the application source code, you can enter
Conduct source code security audits.
4.2.5 Report output
The output documents of each stage of the software security testing process, including the following basic content (see Table 1), can be appropriately tailored according to actual needs
Cut, refer to Appendix A for specific templates.
5 Software security testing technology
5.1 Safety function check
Make manual inspections and audits on security strategies, progress, and technical decisions (such as development models, etc.) involved in the software development process
Perform a safety function check.
The inspection content includes documents, code security policies, security requirements, architecture security, etc. The inspection forms include manual file analysis, visits
Wait. See JR/T 0175-2019 for the relevant requirements of the safety test.
5.2 Code Security Test
Through the security scan and audit of the software source code, locate the location of the vulnerable code.
The test content is divided into static detection and dynamic detection, with wide coverage and high test efficiency. Static detection is based on authoritative software security specifications,
Such as Open Web Application Security Project (OWASP), Public Vulnerability and Exposure (CWE), Payment Card Industry Data Security Standard (PCI DSS)
And so on, you can find serious coding errors such as uninitialized variables, out-of-bounds arrays, buffer overflows, floating-point number comparisons, division by zero, and
Other code specification issues. Dynamic detection refers to running the program under test, detecting memory overflow, resource leakage, process thread abnormality, etc. in code execution
Security issues that will only be discovered when you run.
5.3 Vulnerability scanning
Through automated scanning methods, detection of security vulnerabilities in systems and applications.
The test content is based on the vulnerability database or signature database, and the security situation of the target system is analyzed through automatic tool scanning and detection.
A security testing technique that can detect exploitable vulnerabilities. It can locate the exact location of the vulnerability and cover a wide range. But due to automation
In many cases, tools only indicate the possibility of a vulnerability, so manual analysis and judgment of the results are required.
5.4 Penetration testing
Black-box testing from the perspective of an attacker to obtain a subjective evaluation of the security of the application system.
The content of the test is to use unauthorized actions, mainly to simulate various attack methods of hackers, to bypass the security mechanism of a certain system, and to
Perform attack tests on computers or networks to check the security functions of the system, find security problems or risks, or to reproduce an attack scenario.
The test results of this test are usually true, valid and serious.
5.5 Fuzzing
By providing unexpected input to the target system, the robustness of the application and the security against accidental input are improved.
The test content is mainly to provide unexpected input to the system under test, and to monitor the abnormal performance or failure of the system. It makes full use of the machine
The ability is executed in an automated or semi-automated manner, and has the characteristics of simple principles and easy development of fuzzy testing tools suitable for their own systems.
Fuzzing test can choose whether to use the tool according to the actual scene. The following process is included when using the tool.
a) The test tool generates a large amount of mutation data in a random or semi-random manner;
b) The test tool sends the generated mutation data to the tested system through input;
c) The test tool detects and monitors the state of the system under test (such as whether it can respond, whether the response is correct, etc.);
d) The test tool judges whether there are potential security vulnerabilities according to the state of the system under test, and records abnormal logs.
5.6 Selection of Software Security Testing Technology
Software testers can choose the corresponding software security testing technology according to different institutions, deployment environments and system categories, see
Table 2 ~ Table 8.The division of institutions follows JR/T 0146-2016 (all parts).
6.1.3 Results judgment
If it fully complies with the test content of 6.1.2, it is determined that the application program meets the test requirements of this item.
Item test requirements.
6.2 Password security
6.2.1 Test objectives
The application uses a strong password policy, which limits the number of user login errors. After the specified number of errors is exceeded, the user is locked
Fixed or frozen.
6.2.2 Test content
Testing content includes.
a) The server can safely detect and prompt the password complexity;
b) The password input box does not display the password in plain text;
c) The server limits the number of user login errors;
d) The service port makes the password retrieval credential of the retrieval function complex enough, unguessable, and there is no unauthorized access.
e) The server will give a unified prompt for user login failure.
6.2.3 Results judgment
If it completely meets the test content in 6.2.2, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this
Item test requirements.
6.3 Access security
6.3.1 Test objectives
The application has configured user permissions so that unauthorized behavior (including horizontal and vertical unauthorized) will not occur.
6.3.2 Test content
If the security level of the system is equal to or higher than the third level, or the system design document clearly has access control functions, check the content package
include.
a) The server has a permission configuration function and a permission judgment mechanism;
b) The server performs access control on sensitive data;
c) The server authenticates each request URL, not just through the client's menu blocking or buttons cannot be used to restrict;
d) User authentication adopts multi-factor authentication method to prevent unauthorized operation by modifying the user identity certificate (UID).
6.3.3 Results judgment
If it fully complies with the test content in 6.3.2, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this test requirement.
Item test requirements.
6.4 Session Management Security
6.4.1 Test objectives
After the user logs in and is idle for a certain period of time, the application detects the user session and automatically terminates the timeout session.
6.4.2 Test content
Testing content includes.
a) The session information has been securely encrypted;
b) After the user logs in, the identity information is no longer submitted by the client, but the identity information saved in the server-side session information shall prevail;
c) The application provides the log-off function, and the session information will be cleared when log-off;
d) Change the session ID after each successful login;
e) Perform token verification on user operations to prevent cross-site request forgery (CSRF) operations.
6.4.3 Results judgment
If the test content of 6.4.2 is fully met, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets the test requirements.
Item test requirements.
6.5 Communication security
6.5.1 Test objectives
The application program uses a secure communication protocol in the communication process, and uses an encrypted transmission mechanism for the transmitted data.
6.5.2 Test content
If the security level of the system is equal to or higher than level 3 or the system design document clearly has communication security requirements, the testing content includes.
a) The application uses a secure communication protocol when communicating, such as SSL/T LS, IPSec, etc.;
b) The application program encrypts and protects communication data when communicating;
c) The application program checks the integrity of the communication data when communicating;
d) The application program performs security verification on the communication digital certificate.
6.5.3 Results judgment
If the test content in 6.5.2 is fully complied with, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this test requirement.
Item test requirements.
6.6 Business logic security
6.6.1 Test objectives
Allow users to run applications in accordance with predetermined rules to protect business systems from business security threats.
6.6.2 Test content
Testing content includes.
a) Application business data cannot be tampered with;
b) The application business logic workflow cannot be broken;
c) The application does not allow users to upload files of file types other than those permitted by the business logic;
d) The application business interface call is sufficiently safe.
6.6.3 Results judgment
If the test content in 6.6.2 is fully complied with, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this test requirement.
Item test requirements.
6.7 Input data security
6.7.1 Test objectives
All user input of the application should be verified, and all input is legal, expected type and method.
6.7.2 Test content
If the security level of the system is equal to or higher than the third level or the system design document clearly has the input data security requirements, the content of the test is included
include.
a) There is no SQL injection vulnerability in the application;
b) There is no cross-site scripting (XSS) vulnerability in the application;
d) There is no command execution vulnerability in the application;
e) There is no file inclusion vulnerability in the application;
f) There is no HTTP code injection vulnerability in the application;
g) The application has a special character filtering mechanism.
6.7.3 Results judgment
If it completely meets the test content of 6.7.2, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this test requirement.
Item test requirements.
6.8 Stored data security
6.8.1 Test objectives
The client program encrypts and protects the sensitive data stored on the client.
6.8.2 Test content
Testing content includes.
a) The client encrypts and protects locally stored data (including digital certificate files);
b) The client performs integrity verification on the locally stored data;
c) The client does not store sensitive information such as user authentication locally.
6.8.3 Results judgment
If it fully complies with the test content of 6.8.2, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this test requirement.
Item test requirements.
6.9 Prompt information security
6.9.1 Test objectives
The server will not prompt accurate and detailed information for authentication errors when processing login operations.
6.9.2 Test content
The server obfuscates the prompt information caused by the client's wrong request.
6.9.3 Results judgment
If it fully complies with the test content of 6.9.2, it is determined that the application program meets the test requirements of this item, otherwise it is determined that it does not meet or partially meets this test requirement.
Item test requirements.
6.10 Log data security
6.10.1 Test objectives
The debug log function is not called in the client program, and the logic information of the client code is not exposed.
6.10.2 Test content
Testing content includes.
a) The client encrypts and protects the log data;
b) The client does not locally store log data and debugging information related to the running logic of the application;
c) Application server information is only stored in the server log.
6.10.3 Results judgment
If it fully meets the test content of 6.10.2, it is determined that the application program meets this test requirement, otherwise it is determined that it does not meet or partially meets
This test requirement.
6.11 Algorithm security
6.11.1 Test objectives
When using the encryption algorithm in the client program, no insecure encryption algorithm or insecure encryption mode is used.
6.11.2 Test content
Testing content includes.
a) The client uses encryption and decryption algorithms approved by the national management department, such as SM2, SM3, SM4, etc.;
b) The client adopts the secure encryption mode of encryption and decryption algorithms approved by the national management department.
6.11.3 Results judgment
If it fully meets the test content of 6.11.2, it is determined that the application program meets the test requirements, otherwise it is determined that it does not meet or partially meets
This test requirement.
6.12 Security Audit
6.12.1 Test objectives
The application provides a security audit function, which can record and review the user’s process of operating the application, and make changes to any damage that has occurred.
Evaluate and provide effective disaster recovery and accountability basis.
6.12.2 Test content
Testing content includes.
a) The application provides a security audit function to log user registration, login, and key business operations;
b) The application sets the necessary access control to the security audit records and audit policies, and prohibits unauthorized deletion, modification or overwriting.
6.12.3 Results judgment
If the test content of 6.12.2 is fully met, the application program is determined to meet the test requirements, otherwise it is determined that it does not meet or partially meets the test requirements
This test requirement.
6.13 Configuration Security
6.13.1 Test objectives
The server running the application is safe.
6.13.2 Test content
Testing content includes.
a) There are no known security vulnerabilities in the server and middleware;
b) There is no weak password for server and middleware;
c) The server has not opened unnecessary ports and services;
d) The server does not open unnecessary HTTP methods;
e) The server and middleware meet the principle of minimizing permissions and functions;
f) The server has installed the latest security patches;
g) The server and middleware have enabled the log audit function.
6.13.3 Results judgment
If the test content of 6.13.2 is fully met, it is determined that the application program meets this test requirement, otherwise it is determined that it does not meet or partially meets the test requirements
This test requirement.
6.14 Denial of service
6.14.1 Test objectives
All legitimate users in the network can connect to the server normally, and there is no denial of service (DoS) vulnerability.
6.14.2 Test content
Testing content includes.
a) When the application faces a very large number of network traffic attack requests, it will not be unable to provide services due to excessive network traffic;
b) The application will not be unable to provide services because a certain server resource is exhausted.
6.14.3 Results judgment
If the test content of 6.14.2 is fully complied with, it is determined that the application program meets this test requirement, otherwise it is determined that it does not meet or partially
This test requirement.
6.15 Source Code Security
6.15.1 Test objectives
There is no risk of the source code being decompiled and leaking the client code.
6.15.2 Test content
Testing content includes.
a) The source code of the client has been processed to prevent dynamic debugging, code obfuscation, etc., to prevent decompilation or reverse analysis, and to ensure program logic
Confidentiality of the series;
b) The client has the ability to verify the integrity of the source code;
c) The client can perform security verification on the signed information.
6.15.3 Results judgment
If it fully meets the test content of 6.15.2, it is determined that the application program meets this test requirement, otherwise...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of JR/T 0191-2020_English be delivered?Answer: Upon your order, we will start to translate JR/T 0191-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of JR/T 0191-2020_English with my colleagues?Answer: Yes. The purchased PDF of JR/T 0191-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|