Test type・Security test
Why is security testing so important?
Of the features that have become more important these days, RAS functional tests were introduced in the previous article, so let’s introduce security tests in this article . Cyber security issues such as account hijacking and information leaks have been taken up in the general news, and interest in Internet security has gradually increased. This is because the spread of smartphones has increased and many people are using the Internet as the basis of their lives, and the dangers of the Internet are becoming more and more noticeable.
However, in parallel with the spread of smartphones, the IoT is actually advancing with various functions that support the world at a higher speed . IoT is an abbreviation for Internet of Things , but it means that everything is connected to the Internet. Familiar things are vending machines for soft drinks, checkout machines in parking lots, cashiers at convenience stores, and other devices that used to work independently are connected to the Internet and become servers. By exchanging information, we are providing better services.
I’m very happy to be connected to the Internet and provide useful services, but if there is a front side, there is always a back side. Behind the joy of the front world that you can do various things by connecting to the Internet, the horror of the back world that you can be attacked by cyber attacks from anywhere in the world is occurring at the same time. increase. And the security function protects you from this cyber attack.
Now that each country has organized a cyber army within its army to attack and defend in cyberspace, that is, in the Internet, security functions are becoming more and more important. Withdrawal of the personal information of and apparatus hijacking and, springboard turned into be used to attack other devices, that is always there is a risk, such as because the world of the Internet, such whether withstand the cyber attack to see if Is a security test to confirm the security function.
Embedded system security testing
When it comes to security testing, until a few years ago, the subject of testing was often a server operated by a company . Since a lot of important information is recorded on the server, it is attacked to steal that information, or if it provides important functions, it is attacked to interfere with the functions . For example, in the case of a server operated by a local government, personal information such as the address and name of the resident of that local government is recorded internally, and it is important to provide the residents with various window operations of the local government via the Internet. We provide a machine. It would be difficult for such a server to be attacked by a cyber attack and the information of residents to be stolen or the counter operations to be stopped. To prevent this, the ground municipal server must have sufficient security features, and security tests confirm that feature.
By the way, is the security required for embedded systems, which are increasing in number due to the spread of IoT, the same as for servers? Unlike servers, embedded systems do not store a large amount of information internally or undertake counter operations all at once. For example, if you think about vending machines in the city, there is information about what kind of beverages were sold and how many bottles are left in the current day. However, I don’t think it’s worth stealing this information even by launching a cyber attack. So do embedded systems not have to worry about security features?
Unfortunately that is not the case. Even if you don’t have important information in yourself, even if it is small, it is a computer connected to the Internet, so if it is hijacked by a cyber attack, it will be used as a base for attacking other computer systems as a stepping stone. There is a risk of getting rid of it. Embedded computers used in IoT often work behind the scenes of the world, and unlike smartphones, they are rarely noticed by people, so even if they are hijacked, they are difficult to understand and are the target of attacks. It is easy to become. In fact, a few years ago, a large number of IP cameras installed in the city were hijacked.
In this way, in the case of embedded systems, the problem of hijacking the system is greater than the problem of stealing internal information, so security should also be confirmed by security tests with an emphasis on defense against hijacking. Will be. However, stealing information and hijacking the system both have the same basics of breaking into the system , so the corresponding testing methods are not that different. The main focus is on fuzzing tests that inspect for hidden vulnerabilities and penetration tests that attempt to break into the system . For embedded systems, it’s a good idea to keep in mind that you should be more careful when testing your system by taking over.
Fuzzing test
As many of you may have heard of the term fuzzing, it is one of the methods for finding vulnerabilities in software . Vulnerability is literally the fragile and weak nature of software, but specifically, it is an information security flaw that is latent in computers . It is sometimes called a security hole , but in short, it is an attack point for cyber attacks . Therefore, fuzzing is one of the multifaceted methods of finding potential security holes in your computer.
Then, what is fuzzing to find a security hole in software? It sends a large amount of data that may cause a problem called fuzz to the computer to be inspected , and monitors the computer’s response to it and is vulnerable. The method is to check for sex.
The fuzz data sent to the inspection target varies depending on the inspection target, such as HTTP request if the target is a web server , HTTP response if the target is a web browser , communication protocols such as TCP and IP if the network communication function is used, and commands and arguments if the target is a CUI program . Fuzzing test tool software called a fuzzing tool generates these fuzz data and sends it to the computer to be inspected to monitor for restarts, hangs, and abnormal responses .
Since the fuzzing test sends a lot of fuzz data and tests it, it is done using a fuzzing tool. Many of the paid fuzzing tools are easy to use and can be inspected in a wide range. However, if you are trying fuzzing for the first time, or if you have a development project where you cannot afford to write a lot of test costs, you can try a free fuzzing tool.
For fuzzing IPA because it is it provides a variety of information and tools from, by all means if you are interested introduction page of fuzzing of the IPA See also.
Penetration test
Bae nest configuration tests, security experts are pseudo-attack is a test to find the problem of the security of the computer system performs. In Japanese, it is called penetration test or pseudo-hacking test . This is a test in which a security expert called a white hacker attempts to break into a computer system using various tools.
Whereas fuzzing tests create various fuzz data to comprehensively investigate vulnerabilities, penetration tests check whether an attacker with a specific intention succeeds in attacking a system. It’s a test. Therefore, the outcome of a penetration test depends heavily on the ability of the white hacker to plan and carry out the test. Asking an experienced white hacker to test will also increase the cost of the test. As you can see from this, penetration tests are generally paid.
Which test should I take?
Which test should I do , the fuzzing test or the penetration test ? It would be best if both could be implemented, but the reality is that not all development projects have such abundant test periods and test costs. If only one can be done, Father Gutara recommends doing a fuzzing test .
A fuzzing test that confirms vulnerabilities is a test that comprehensively confirms whether or not there is a risk of being attacked . Penetration testing, on the other hand, is a test to prevent attacks with specific intent . It depends on the security content required for the product, so it cannot be said unconditionally, but it would be better to start with a fuzzing test that can be expected to be comprehensive to some extent.