软件安全性缺陷测试需求获取与定位-《计算机技术与发展》

文章信息/Info

Title:: Requirement Acquisition and Location for Software Security Defect Testing

Author(s):: PENG Hui-bin; FEI Qi; Jiangsu Institute of Automation,Lianyungang 222061,China

Keywords:: software security defects; security defect requirement acquisition; security defect location; priority measurement model

摘要:: 近年来,软件安全性事件层出不穷,涉及的领域也越来越广,造成的危害也越来越大。现有的缺陷数据库包含的安全性漏洞数量非常庞大,如果对其逐个进行针对性测试,则测试成本难以承受。因此,文中首先从影响软件安全性的缺陷引入原因维、危险后果维以及可能导致缺陷被激活的操作方式维三个维度对安全性缺陷进行分类。这种三维结构综合分类法,可以弥补单一分类法的不足,为测试人员分析安全性缺陷提供了更为准确细致的描述手段;其次,通过数据流图结合数据交互边界提出一种可行的基于数据交互边界的软件安全性缺陷确定技术;最后,通过对 DREAD 模型的改进,提出一种软件安全性缺陷优先级度量模型,从而解决了软件安全性缺陷定位问题和软件安全性缺陷优先级确定问题。

Abstract:: In recent years,software security incidents emerge in an endless stream,involving more and more fields and causing more and more harm. The existing defect database contains a large number of security vulnerabilities. If the targeted tests are carried out one by one,the test cost is unbearable. Therefore,firstly the security defects from three dimensions:the reason dimension,the dangerous consequence dimension and the operation mode dimension which may cause the defects to be activated are classified. This three dimensional structured comprehensive classification can make up for the single classification and provide a more accurate and detailed description for testers to analyze security defects. Secondly,a feasible software security defect determination technique based on data flow graph and data interaction boundary is proposed. Finally, by improving the DREAD model, a software security defect priority measurement model is proposed to solve the problem of software security defect location and software security defect priority determina-tion.