CN113742201A - Software defect detection method and system based on gray box test - Google Patents
Software defect detection method and system based on gray box test Download PDFInfo
- Publication number
- CN113742201A CN113742201A CN202010472349.0A CN202010472349A CN113742201A CN 113742201 A CN113742201 A CN 113742201A CN 202010472349 A CN202010472349 A CN 202010472349A CN 113742201 A CN113742201 A CN 113742201A
- Authority
- CN
- China
- Prior art keywords
- test
- result information
- defect detection
- test result
- dast
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 156
- 230000007547 defect Effects 0.000 title claims abstract description 44
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- CSJLBAMHHLJAAS-UHFFFAOYSA-N diethylaminosulfur trifluoride Substances CCN(CC)S(F)(F)F CSJLBAMHHLJAAS-UHFFFAOYSA-N 0.000 claims abstract description 44
- 101001018259 Homo sapiens Microtubule-associated serine/threonine-protein kinase 1 Proteins 0.000 claims abstract description 28
- 101000693728 Homo sapiens S-acyl fatty acid synthase thioesterase, medium chain Proteins 0.000 claims abstract description 28
- 102100025541 S-acyl fatty acid synthase thioesterase, medium chain Human genes 0.000 claims abstract description 28
- 239000003795 chemical substances by application Substances 0.000 claims abstract description 22
- 230000010354 integration Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 230000010365 information processing Effects 0.000 claims description 4
- 238000000034 method Methods 0.000 abstract description 21
- 238000011161 development Methods 0.000 description 16
- 238000007726 management method Methods 0.000 description 14
- 238000000275 quality assurance Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 12
- 230000003068 static effect Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 235000000332 black box Nutrition 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011990 functional testing Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000011076 safety test Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3692—Test management for test results analysis
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present disclosure relates to a software defect detection method and system based on gray box testing, the method comprising: a step of instrumentation, wherein a instrumentation code segment for testing is inserted into one or more instrumentation points of a tested program through an instrumentation Agent installed in an SAST server; a dynamic scanning step, wherein a DAST scanner of a DAST server initiates scanning to a tested program to perform black box testing; a tracking step, tracking test result information of the tested program in a DAST scanning period by the instrumentation Agent according to the one or more instrumentation points, and sending the test result information to a management control server; and a display step of displaying the test result information by the management control server.
Description
Technical Field
The present disclosure relates to software security. More particularly, the present disclosure relates to a method and system for software defect detection based on gray box testing in software security testing.
Background
Traditional software organizations set development, IT operations and Quality Assurance (QA) as separate departments, and the release of applications often becomes a very stressful and risky activity involving multiple teams. In recent years, with rapid development of new business states based on the internet and next-generation communication technologies, virtualization and cloud computing infrastructures are increasingly popularized, data center automation technologies and configuration management tools are widely used, and how to adopt a new development method such as agile software development to meet the demand of frequent delivery becomes an important issue in the industry.
Against the background of overall technological advances, Development and maintenance in the software industry has evolved from the traditional SDLC (system lifecycle) model to the latest Development (combination of Development) and Operations) model. Through the close cooperation of multiple departments such as development, operation and maintenance, software products and services can be delivered on time and with high quality. Particularly, in a communication environment in which the mobile internet is widely spread at present, the rate of agile software development is increasing and gradually becomes mainstream, and how to reduce the risk of the production environment accompanying frequent changes becomes a new issue.
The software security test is a key link for enhancing the security of a software system and reducing the risks of software products and services. At present, software security detection methods mainly focus on SAST static white box testing and DAST dynamic black box testing. The SAST static white box test is a code-based test, and as a test case design method, a tester performs coverage test on a logic path in software by checking a logic structure in the software to obtain test data. The DAST dynamic black box test is also called a functional test, focuses on functional requirements of test software, focuses on external structures of programs, performs a test starting from a corresponding relationship between input data and output data, and detects whether each function can be normally used through the test.
In the new DevOps model, how to improve the software security to the maximum extent and efficiently within the specified time and cost range becomes a business concern.
For convenience and ease of understanding, hereinafter, the "SAST static white box test" is sometimes referred to simply as "SAST test", "white box test", "static test", or "SAST", etc., and similarly, the "DAST dynamic black box test" is sometimes referred to simply as "DAST test", "black box test", "dynamic test", or "DAST", etc.
Disclosure of Invention
Technical problem to be solved by the invention
The prior art SAST static white-box test and DAST dynamic black-box test each have their advantages and disadvantages. In the SAST static white-box test, the tester is usually a software developer who needs to have a full understanding of the internal logic structure of the software program and perform the test on all logic paths. More specifically, checkpoints are created at various locations in the program, and the state of the program is checked to determine if the actual operating state is consistent with the expected state. The white box test has high coverage rate, and is mainly used in the software fields with high reliability requirements, such as military industry, aerospace, industrial control and the like; but the problem of more false alarms exists, which causes time and labor consumption in later stage of false alarm investigation and reduces the practicability to a certain extent.
On the other hand, in the DAST dynamic black box test, the test is performed at the program interface at the user's angle, without considering the internal structure and internal characteristics of the program at all; it only checks whether the program function is used normally as specified by the requirements specification and whether the program can properly receive the input data and produce the correct output information. The black box test is suitable for function test, usability test and acceptability test, and can test the working logic of long and complex procedures, is easy to understand, and has high test result accuracy; however, the specific code line number of the bug and the cause of the bug cannot be located, and long time is needed for locating the bug and analyzing the cause.
The two test methods, the SAST static white-box test and the DAST dynamic black-box test, each have their advantages and disadvantages. In the new DevOps model, the effect of fast iteration and fast feedback is expected to be realized by emphasizing that the security test is embedded into each stage of software development.
Therefore, an object of the present disclosure is to provide a black and white box linked software defect detection method and system based on gray box testing, which can efficiently find out a vulnerability with a high system risk in a short time by associating dynamic testing with static testing.
Technical solution for solving technical problem
The following presents a simplified summary of the disclosure in order to provide a basic understanding of some aspects of the disclosure. However, it should be understood that this summary is not an exhaustive overview of the disclosure. It is not intended to limit the critical or important parts of the present disclosure, nor is it intended to limit the scope of the present disclosure. Its sole purpose is to present some concepts of the disclosure in a simplified form as a prelude to the more detailed description that is presented later.
According to one aspect of the disclosure, a software defect detection method based on a gray box test is provided. The method can comprise the following steps: a step of instrumentation, wherein a instrumentation code segment for testing is inserted into one or more instrumentation points of a tested program through an instrumentation Agent installed in an SAST server; a dynamic scanning step, wherein a DAST scanner of a DAST server initiates scanning to a tested program to perform black box testing; a tracking step, tracking test result information of the tested program in a DAST scanning period by the instrumentation Agent according to the one or more instrumentation points, and sending the test result information to a management control server; and a display step of displaying the test result information by the management control server.
According to another aspect of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium stores executable instructions that, when executed by an information processing apparatus, cause the information processing apparatus to perform the above-described software defect detection method based on a gray box test.
According to another aspect of the present disclosure, a system for software defect detection based on gray box testing is provided. The system may include: the DAST server is provided with a DAST scanner for dynamic scanning, and is used for initiating scanning to a program to be tested and carrying out black box testing; the system comprises a SAST server, a management control server and a plurality of software modules, wherein an instrumentation Agent is installed in the SAST server, a test code segment is inserted into one or more instrumentation points of a tested program through the instrumentation Agent, and the instrumentation Agent tracks test result information of the tested program during DAST scanning according to the one or more instrumentation points and sends the test result information to the management control server; and the management control server receives and displays the test result information.
According to another aspect of the present disclosure, there is provided a software defect detecting apparatus based on a gray box test, including: a memory, and processing circuitry configured to: inserting a test code segment into one or more instrumentation points of the program to be tested; initiating dynamic scanning to a tested program, and carrying out black box testing; tracking test result information of the tested program during DAST scanning according to the one or more peg points; and displaying the test result information.
Effects of the invention
According to the invention, most high-risk bugs can be found and accurately positioned in a short time aiming at a software system, and the method is very suitable for a fast iterative and fast feedback DevOps mode.
Drawings
Fig. 1 is a diagram illustrating a representative DevOps mode based operating architecture in accordance with an embodiment of the present disclosure;
FIG. 2 is an exemplary diagram of a hardware architecture for implementing embodiments of the present disclosure;
FIG. 3 is an exemplary flow chart illustrating the overall processing of a gray box test based software defect detection method according to an embodiment of the present disclosure.
Detailed Description
Preferred embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. It should be noted that the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise. Meanwhile, the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail and are intended to be part of the specification where appropriate. The techniques of this disclosure can be applied to a variety of products.
To facilitate a better understanding of the technical solutions according to the present disclosure, some software industry techniques applicable to the embodiments of the present disclosure are briefly described below.
While the technology subversive trends of cloud computing, big data and the like continuously play a role in application economy, particularly under the large background that the current mobile internet is popular and rapidly popularized, the adoption of the latest DevOps working mode is expected to assist business appreciation under the large environment of application driving, cloud connection and mobility. The DevOps model can be regarded as a combination of traditional development (software engineering), technical operation and Quality Assurance (QA), and can consider a flow and a method for communication and cooperation problems among multiple departments represented by the three departments.
Under the large background of a new business state, a software business department is likely to need to produce application programs which are oriented to various users and have various functions in a short time, and the deployment period of the application programs is inevitably short. In order to meet the requirement of the continuous deployment, communication, cooperation and integration among development (application program/software engineering), technical operation and Quality Assurance (QA) departments need to be realized, and the software construction, testing and release can be more rapid, frequent and reliable through the communication and cooperation between a software developer (Dev) and an IT operation and maintenance technician (Ops), breaking through the partitioning mode of the traditional department and optimizing various processes such as design and testing. Overall, the efficiency of the entire organization is thus improved by improving the collaboration among the teams in each link.
First, an example of the overall operating architecture of the DevOps mode can be seen in fig. 1. Fig. 1 shows a representative DevOps mode based operational architecture diagram in accordance with an embodiment of the present disclosure. As shown in fig. 1, in the DevOps model emphasizing the security test embedded in each stage of software development, in general, in each working module from "1 demand" to "7 offline", there are involved the collaboration and participation of a plurality of departments such as development (application/software engineering), technical operation and Quality Assurance (QA) department, etc., and only the primary and secondary business contents of each department are different. Specifically, the development department focuses more on the three modules of "1 requirement", "2 design", and "3 development" among them; the Quality Assurance (QA) department mainly focuses on the two modules of "4 test" and "5 release" therein; the work of the technical operation department mainly relates to two modules of '6 operation and maintenance' and '7 offline' in the later period. The black and white box linkage software defect detection method and system based on the gray box test relate to the cooperative work of the different departments, such as at least a development department and a Quality Assurance (QA) department.
As a non-limiting example, in the module "3 development", as a work on the aspect of software security, there are referred to "security code specification implementation", "SAST test", "audit repair", and "persistent integration", and the like. The SAST test is used as a static application program safety test and can automatically detect the defects of codes according to a general safety coding rule and a user-defined safety coding rule. The following "audit repair" can audit and repair code defects according to the SAST automated test results. In "persistent integration," the SAST test can be integrated with Git, JIRA, mail management systems, etc., so that various general/customized tests such as detection of version update auto-trigger, periodic detection, and system pre-release detection during iterative development can be supported according to user requirements. Since integration with a sophisticated defect management system such as JIRA is supported, a mail notification system can be supported, so that a defect or the like can be notified to the relevant person in charge promptly and reliably.
Next, as a non-limiting example, in the module "4 test", as a work on the aspect of software security, refer to "DAST/IAST (interactive application security test)", "security regression test", "security element test", "security integration test", and "persistence test", and the like. The black-white box linkage software defect detection method based on the gray box test can be used as an implementation form of IAST interactive application safety test, combines dynamic test and static test, and positions the precise position of a vulnerability in a source code while performing DAST test by a method of inserting piles on an SAST tool.
Fig. 2 is an exemplary schematic diagram of a hardware architecture for implementing embodiments of the present disclosure. The black and white box linkage software defect detection system based on the ash box test comprises: a DAST server for black box testing of software, having a DAST scanner for initiating scanning; and a SAST server on which an Agent (proxy) is installed, the Agent being simultaneously associated with the DAST scanner so that SAST and DAST tests are linked. The software defect detection system further comprises: and the management control server is used for displaying the safety detection result.
The general flow chart of the relevant software security test process is shown in fig. 3. FIG. 3 is an exemplary flow chart illustrating the overall processing of a gray box test based software defect detection method according to an embodiment of the present disclosure.
As shown in fig. 3, in step S100, the instrumentation Agent is installed in the SAST server. More specifically, by using the instrumentation technology, a probe is inserted into the program under test on the basis of ensuring the logic integrity of the original program, and information (a method itself, a method parameter value, a return value, and the like) in the code is acquired through the probe. That is, by inserting code segments at specific positions of a program under test, dynamic context information and the like of the program running can be collected.
In the software defect detection method and system disclosed by the invention, the following technical effects can be achieved by utilizing a pile inserting mode: the analysis is carried out based on the service calling context without replaying, and the detection efficiency is higher; more application program information can be obtained, so that the found security loophole can be positioned to a code line, complete request and response information, complete data stream and stack information can be obtained, and the security loophole can be conveniently positioned, repaired and verified; the detection logic does not need to replay a request, and can test the anti-replay logic (supporting the test of environments such as AJAX page, CSRF Token page, verification code page, API isolated chain, POST form request and the like); the detection of third-party component management, hard coded information, weak encryption algorithm and the like is supported; the vulnerability is judged based on comprehensive analysis of the request, the code, the data flow and the control flow, the vulnerability test accuracy is high, and the false alarm rate is extremely low.
In step S200, a DAST scanner initiates scanning on the application under test, and performs a black box test. As described below, during DAST scanning, application security testing can be further performed concurrently with functional testing, in conjunction with instrumentation agents installed in associated SAST servers.
In step S300, Agent tracks test result information of the tested application program during DAST scanning, and sends related test result information to the management control server. When the DAST test is carried out, the Agent tracks the trend of the data stream, and the peg points through which the data stream flows can be recorded in the form of log files, so that a tester can conveniently know that the peg points have passed through by the flow through the log files by referring to electronic documents of the log files or the printed log files and the like. The test result information includes data flow trend and related source code context. For example, in the process of monitoring the running condition of an application program, the Agent collects information of the execution mode and the operation content of the application. The monitored application behavior may include code, memory, data flow, and the like. The test result information of the software defect detection method based on the gray box test of the embodiment of the present disclosure may include a combination of the test result based on the SAST server and the test result of the DAST server. More specifically, the test results of the SAST server include test results from an instrumentation Agent; the test results of the DAST server include test results from a DAST scanner.
In step S400, the management control server displays the security detection result. The security detection result may, for example, comprise a combination based on the test result from the Agent and the test result from the DAST scanner. In addition, the management control server can also support integration with a mature defect management system such as JIRA, and can support a mail notification system, thereby immediately and reliably notifying the relevant responsible person of the defect and the like, and facilitating quick communication and coordination among development, technical operation and Quality Assurance (QA) departments.
By utilizing the software defect detection method and system based on the gray box test, the DAST and the SAST are linked by utilizing the mode of the instrumentation Agent, and the problems found in the DAST test can be positioned to specific code positions so as to be repaired in time and iterated quickly.
By utilizing the scheme disclosed by the invention, the defect that the traditional DAST dynamic black box test cannot realize quick feedback because the internal principle is not mastered is overcome.
In addition, in the past, the SAST static white box test is simply adopted, the false alarm rate is usually more than 30%, and the average false alarm rate is 50%; whereas with the approach of software defect detection based on the gray box test of the present disclosure, the false positive is almost 0.
It should be appreciated that reference throughout this specification to "an embodiment" or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, appearances of the phrases "in embodiments of the present disclosure" and similar language throughout this specification do not necessarily all refer to the same embodiment.
One skilled in the art will appreciate that the present disclosure can be implemented as a system, apparatus, method, or computer-readable medium (e.g., non-transitory storage medium) as a computer program product. Accordingly, the present disclosure may be embodied in various forms, such as an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-program code, etc.) or an embodiment combining software and hardware aspects that may all be referred to hereinafter as a "circuit," module "or" system. Furthermore, the present disclosure may also be embodied in any tangible media as a computer program product having computer usable program code stored thereon.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of systems, apparatuses, methods and computer program products according to specific embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and any combination of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be executed by a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, implement the functions or acts specified in the flowchart and/or block diagram block or blocks.
Flowcharts and block diagrams of the architecture, functionality, and operation in which systems, apparatuses, methods and computer program products according to various embodiments of the present disclosure may be implemented are shown in the accompanying drawings. Accordingly, each block in the flowchart or block diagrams may represent a module, segment, or portion of program code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in the drawings may be executed substantially concurrently, or in some cases, in the reverse order from the drawing depending on the functions involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to market technology, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (14)
1. A software defect detection method based on a gray box test comprises the following steps:
a step of instrumentation, wherein a instrumentation code segment for testing is inserted into one or more instrumentation points of a tested program through an instrumentation Agent installed in an SAST server;
a dynamic scanning step, wherein a DAST scanner of a DAST server initiates scanning to a tested program to perform black box testing;
a tracking step, tracking test result information of the tested program in a DAST scanning period by the instrumentation Agent according to the one or more instrumentation points, and sending the test result information to a management control server; and
and a display step, in which the management control server displays the test result information.
2. The software defect detection method based on gray box testing of claim 1,
the test result information includes the data flow trend and related source code context of the program under test during the DAST scan.
3. The software defect detection method based on gray box testing of claim 2,
the data stream is oriented according to the one or more peg points.
4. The software defect detection method based on gray box testing of claim 1,
in the presenting step, the management control server further notifies the relevant person in charge of the test result information via integration with other defect management systems.
5. The software defect detection method based on gray box testing of claim 4,
the other defect management system includes at least one of: git, JIRA, mail management system.
6. The software defect detection method based on gray box testing of claim 4,
and the management control server informs the relevant responsible persons of the test result information through a mail informing system.
7. A computer-readable storage medium storing executable instructions that, when executed by an information processing apparatus, cause the information processing apparatus to perform the ash box test-based software defect detection method according to any one of claims 1 to 6.
8. A software defect detection system based on gray box testing comprises:
the DAST server is provided with a DAST scanner for dynamic scanning, and is used for initiating scanning to a program to be tested and carrying out black box testing;
the system comprises a SAST server, a management control server and a plurality of software modules, wherein an instrumentation Agent is installed in the SAST server, a test code segment is inserted into one or more instrumentation points of a tested program through the instrumentation Agent, and the instrumentation Agent tracks test result information of the tested program during DAST scanning according to the one or more instrumentation points and sends the test result information to the management control server; and
and the management control server receives and displays the test result information.
9. The software defect detection system based on gray box testing of claim 8,
the test result information includes the data flow trend and related source code context of the program under test during the DAST scan.
10. The software defect detection system based on gray box testing of claim 9,
the data stream is oriented according to the one or more peg points.
11. The software defect detection system based on gray box testing of claim 8,
the management control server further notifies the test result information to the relevant person in charge via integration with other defect management systems.
12. The software defect detection system based on gray box testing of claim 11,
the other defect management system includes at least one of: git, JIRA, mail management system.
13. The software defect detection system based on gray box testing of claim 11,
and the management control server informs the relevant responsible persons of the test result information through a mail informing system.
14. A software defect detection device based on a gray box test comprises:
a memory, and
a processing circuit configured to:
inserting a test code segment into one or more instrumentation points of the program to be tested;
initiating dynamic scanning to a tested program, and carrying out black box testing;
tracking test result information of the tested program during DAST scanning according to the one or more peg points; and
and displaying the test result information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010472349.0A CN113742201A (en) | 2020-05-29 | 2020-05-29 | Software defect detection method and system based on gray box test |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010472349.0A CN113742201A (en) | 2020-05-29 | 2020-05-29 | Software defect detection method and system based on gray box test |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113742201A true CN113742201A (en) | 2021-12-03 |
Family
ID=78724366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010472349.0A Withdrawn CN113742201A (en) | 2020-05-29 | 2020-05-29 | Software defect detection method and system based on gray box test |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113742201A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115794639A (en) * | 2022-12-05 | 2023-03-14 | 北京领雁科技股份有限公司 | Visual test and visual simulation test system and method based on process |
| CN118153049A (en) * | 2024-05-13 | 2024-06-07 | 成都派沃特科技股份有限公司 | Intelligent detection method and system for code security |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030046029A1 (en) * | 2001-09-05 | 2003-03-06 | Wiener Jay Stuart | Method for merging white box and black box testing |
| CN102053906A (en) * | 2009-10-30 | 2011-05-11 | 国际商业机器公司 | System and method for collecting program runtime information |
| CN102103538A (en) * | 2011-02-22 | 2011-06-22 | 南京航空航天大学 | Method for testing palletizing robot control software based on Agent |
| CN104834590A (en) * | 2014-02-11 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Software test method and system |
| US20170270303A1 (en) * | 2016-03-21 | 2017-09-21 | Checkmarx Ltd. | Integrated Interactive Application Security Testing |
| CN110389895A (en) * | 2019-06-14 | 2019-10-29 | 平安科技(深圳)有限公司 | Terminal test method, device, computer equipment and storage medium |
| CN110837472A (en) * | 2019-11-06 | 2020-02-25 | 腾讯科技(深圳)有限公司 | Browser testing method and device and computer equipment |
| CN110858172A (en) * | 2018-08-23 | 2020-03-03 | 北京京东尚科信息技术有限公司 | Automatic test code generation method and device |
-
2020
- 2020-05-29 CN CN202010472349.0A patent/CN113742201A/en not_active Withdrawn
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030046029A1 (en) * | 2001-09-05 | 2003-03-06 | Wiener Jay Stuart | Method for merging white box and black box testing |
| CN102053906A (en) * | 2009-10-30 | 2011-05-11 | 国际商业机器公司 | System and method for collecting program runtime information |
| CN102103538A (en) * | 2011-02-22 | 2011-06-22 | 南京航空航天大学 | Method for testing palletizing robot control software based on Agent |
| CN104834590A (en) * | 2014-02-11 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Software test method and system |
| US20170270303A1 (en) * | 2016-03-21 | 2017-09-21 | Checkmarx Ltd. | Integrated Interactive Application Security Testing |
| CN110858172A (en) * | 2018-08-23 | 2020-03-03 | 北京京东尚科信息技术有限公司 | Automatic test code generation method and device |
| CN110389895A (en) * | 2019-06-14 | 2019-10-29 | 平安科技(深圳)有限公司 | Terminal test method, device, computer equipment and storage medium |
| CN110837472A (en) * | 2019-11-06 | 2020-02-25 | 腾讯科技(深圳)有限公司 | Browser testing method and device and computer equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115794639A (en) * | 2022-12-05 | 2023-03-14 | 北京领雁科技股份有限公司 | Visual test and visual simulation test system and method based on process |
| CN115794639B (en) * | 2022-12-05 | 2023-09-26 | 北京领雁科技股份有限公司 | Visual test based on flow and visual simulation test system and method |
| CN118153049A (en) * | 2024-05-13 | 2024-06-07 | 成都派沃特科技股份有限公司 | Intelligent detection method and system for code security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9160762B2 (en) | Verifying application security vulnerabilities | |
| Arcuri et al. | Black-box system testing of real-time embedded systems using random and search-based testing | |
| Xu et al. | POD-Diagnosis: Error diagnosis of sporadic operations on cloud applications | |
| Erfani Joorabchi et al. | Works for me! characterizing non-reproducible bug reports | |
| US8752182B2 (en) | Pinpointing security vulnerabilities in computer software applications | |
| US7882495B2 (en) | Bounded program failure analysis and correction | |
| US20080005281A1 (en) | Error capture and reporting in a distributed computing environment | |
| Jaafar et al. | Mining the relationship between anti-patterns dependencies and fault-proneness | |
| CN107329894B (en) | Application program system testing method and device and electronic equipment | |
| CN111859375A (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| CN108268371B (en) | Intelligent fuzzy test method for Android application | |
| GB2493828A (en) | Linking a test case error to a code segment to re-execute the test when the code segment is modified | |
| CN113761519B (en) | Method and device for detecting Web application program and storage medium | |
| CN113742201A (en) | Software defect detection method and system based on gray box test | |
| Chen et al. | A large-scale empirical study on control flow identification of smart contracts | |
| Dia et al. | An empirical evaluation of the effectiveness of smart contract verification tools | |
| Bandara et al. | Fix that Fix Commit: A real-world remediation analysis of JavaScript projects | |
| Bhatt | A survey of effective and efficient software testing technique and analysis | |
| CN117076301A (en) | System performance test method and device and electronic equipment | |
| DeMott et al. | Systematic bug finding and fault localization enhanced with input data tracking | |
| US11526775B2 (en) | Automatically evaluating application architecture through architecture-as-code | |
| CN114329486A (en) | Asset vulnerability management method and device, electronic equipment and storage medium | |
| Biray et al. | A learning-based method for detecting defective classes in object-oriented systems | |
| Padmanabhuni et al. | Light-weight rule-based test case generation for detecting buffer overflow vulnerabilities | |
| CN111428238B (en) | Android component-based service rejection testing method, detection terminal and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211203 |
|
| WW01 | Invention patent application withdrawn after publication |