The Design And Implementation Of Security Testing Tool In Secure Software Development Environment

To meet the increasing demands of software on security and reliability, Microsoft proposed the idea of Trustworthy Computing. And by adding a series of concerns and improvements aimed at security into corresponding periods of a traditional software development life cycle, a secure development life cycle is raised to form a secure software engineering complying with this software development process. Focusing on the testing period, this paper studies how to provide an automated or semi-automated security testing tool, which can be used to detect potential security vulnerabilities.Based on the existing security software testing method, a software security test based on attack patterns is proposed. Firstly, attack patterns is modeled according to UML sequence diagrams. Attack paths are acquired from the model and corresponding characteristics of attack paths can also be obtained. According these characteristics, information needing be collected during program execution is determined, and meanwhile, the code implementation is carried on. Secondly, random test data is generated on which a data-driven code-implemented program runs to record execution paths during program execution. Finally, attack paths are matched with execution path. The matching results serve to report potential security vulnerability and further provide corresponding mitigating strategy.Furthermore, this paper designs and implements a security testing tool whose functional modules comprising an attack path module, an automated data-implementing module and a test-executing and path-matching module. The tool is implemented by plug-in techniques of Eclipse development platform and is further integrated into a whole secure software development environment.The security testing tool provides testers with comparative automated tool supports, reduces the dependency of security tests on testers'skills and experiences, and enhances the developing speed. The integration of this tool into a secure software development environment exerts a positive effect on building secure and reliable software.