CN111008376B - A mobile application source code security audit system based on code dynamic analysis - Google Patents
A mobile application source code security audit system based on code dynamic analysis Download PDFInfo
- Publication number
- CN111008376B CN111008376B CN201911247159.2A CN201911247159A CN111008376B CN 111008376 B CN111008376 B CN 111008376B CN 201911247159 A CN201911247159 A CN 201911247159A CN 111008376 B CN111008376 B CN 111008376B
- Authority
- CN
- China
- Prior art keywords
- code
- security
- scanning
- vulnerability
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
本申请公开了一种基于代码动态分析的移动应用源代码安全审计系统,包括:代码扫描引擎模块、应用展现层模块和数据存储模块;应用展现层模块为系统的前端界面,提供外部系统集成接口;代码扫描引擎模块与应用展现层模块协作,实现代码安全扫描任务的规划、创建、扫描和报告生成;数据存储模块用于系统的数据保存。本申请采用虚拟执行技术,解决了第一代和第二代基于模式匹配、数据流/控制流分析等技术存在的效率低下、准确度不高的问题;减少了在应对无效漏洞上所浪费的人力和时间成本,也降低由于传统代码扫描工具漏报给公司带来的安全风险;可以根据公司的实际需求进行定制化,进一步提升效率,以尽量低的成本全面提高公司的代码安全水平。
The present application discloses a mobile application source code security audit system based on code dynamic analysis, including: a code scanning engine module, an application presentation layer module and a data storage module; the application presentation layer module is the front-end interface of the system, providing an external system integration interface ; The code scanning engine module cooperates with the application presentation layer module to realize the planning, creation, scanning and report generation of the code security scanning task; the data storage module is used for data storage of the system. This application adopts the virtual execution technology, which solves the problems of low efficiency and low accuracy in the first and second generation based on pattern matching, data flow/control flow analysis and other technologies; Manpower and time costs also reduce the security risks brought to the company due to underreporting of traditional code scanning tools; it can be customized according to the company's actual needs to further improve efficiency and comprehensively improve the company's code security level at the lowest cost possible.
Description
Technical Field
The invention belongs to the technical field of network security, and relates to a mobile application source code security audit system based on code dynamic analysis.
Background
With the development of the times, information technology has profoundly influenced the work and life of people. However, while bringing convenience to people, information technology has become a new criminal tool. Hacker attacks in information systems are more hidden than traditional criminal acts and more difficult to prevent. In silent silence, the information assets and even physical security of people may be compromised. The introduction of defensive devices, including firewalls, IDS, IPS, etc., has improved the security level of the system to some extent, but these devices cannot effectively prevent attacks at the application level, especially attack at the unknown vulnerability 0day in the system. Each time a new 0day attack comes down the whole internet to a large extent.
At present, the information system of a national power grid company (hereinafter referred to as a company) is large in scale, the version iteration speed is high, the development and maintenance work is heavy, and meanwhile, the information safety is considered. Information system developers are generally reluctant or unable to write secure program code, due to their lack of security technical knowledge and security awareness. Companies are expensive to perform information security work, but profits and outcomes are difficult to quantify. Most importantly, companies lack automated solutions that can truly efficiently, accurately, and in-depth exploit code level security vulnerabilities.
The first generation of code scanning technologies, generally used for open source code scanning tools. The key word and pattern matching technology is mainly adopted, and the method is only suitable for detecting the simplest and most obvious security loopholes, and has very limited practical value. The second generation code scanning technology, which performs static code analysis based on formalized logic and mathematical theory, is the mainstream in the industry at present. Compared with the first generation technology, the method has more comprehension capability on the overall logic of the program code, but the static model has lower accuracy and high false alarm rate, and professional personnel with safety knowledge spend a great deal of time on rechecking and correcting the error, so that the working efficiency is low.
The code security detection work developed by the current company mainly relies on Fortify in the United states and Checkmarx in Israel. With the continuous improvement of the security requirements of companies on the electric power information system, the current foreign code security detection device has the following disadvantages in the actual work:
1. cannot be controlled independently: in the "network security action plan for power industry (2018 and 2020)", which is compiled by the national energy agency organization, it is explicitly pointed out that: 'insist on autonomous innovation, accelerate the promotion of autonomous controllability and core technology breakthrough of an electric power system';
2. does not meet the industrial characteristics: because the safety requirement of the power information system is high and the power information system has distinct industrial characteristics, foreign code safety detection products cannot provide customized services;
3. the cost and expense are high: the maintenance and upgrade cost of foreign security detection products is high, and the maintenance and upgrade cost is more than 25% of the purchase price of purchasing tools every year.
Disclosure of Invention
In order to solve the defects in the prior art, the application provides a mobile application source code security audit system based on code dynamic analysis, and by means of effective understanding of code logic, the system provides high-efficiency and low-false-alarm code security scanning capability, establishes a high-efficiency and safe development system for users, and comprehensively improves the overall security level of an IT system on the premise of greatly reducing the investment of enterprise information security resources.
In order to achieve the above object, the first invention of the present application adopts the following technical solutions:
a mobile application source code security audit system based on code dynamic analysis, the mobile application source code security audit system comprising: the system comprises a code scanning engine module, an application presentation layer module and a data storage module;
the application display layer module provides an external system integration interface for a front-end interface of the mobile application source code security audit system;
the code scanning engine module is cooperated with the application presentation layer module to realize the planning, the creation, the scanning and the report generation of a code security scanning task;
the data storage module is used for storing data of the mobile application source code security audit system.
The invention further comprises the following preferred embodiments:
preferably, the code scan engine module comprises a virtual intermediate language code translator, a security scan rule module, a virtual executor, and a scan report generator;
the virtual intermediate language code translator is responsible for translating the scanned project/product code into a virtual intermediate language code, simplifying the instruction of the analyzed program in the translation process, only reserving information related to the security vulnerability, and improving the security scanning efficiency and accuracy of the code;
the security scanning rule module is used for defining the characteristics and security scanning rules of different security vulnerability types;
the virtual executor loads and executes the converted virtual intermediate language code, and potential safety problems are mined according to safety scanning rules;
the scan report generator classifies and deduplicates security problems discovered in the code analysis process, and grades security threat levels for discovered security vulnerabilities.
Preferably, the scan report generator ranks the discovered security vulnerabilities for severe, high-risk, medium-risk, or low-risk security threats.
Preferably, the code scanning engine module cooperates with the application presentation layer module to complete planning, creating, scanning and report generation of a code security scanning task, and the process is as follows:
predefining characteristics and security scanning rules of different security vulnerability types through a security scanning rule module in the code scanning engine module;
after the application display layer module creates a source code scanning task, calling a code scanning engine module;
in the code scanning engine module, a virtual intermediate language code translator translates a virtual code, then a virtual actuator performs scanning detection, the code is dynamically analyzed and judged one by one according to scanning rules, and finally a scanning report generator is used for generating a corresponding source code security defect audit report.
Preferably, the security vulnerability types include an authority check vulnerability, a component analysis vulnerability, an advertisement module analysis vulnerability, a sensitive API analysis vulnerability, a third party component analysis vulnerability, a code injection analysis vulnerability, an information storage analysis vulnerability, a resource unreleased analysis vulnerability, a sensitive information leakage analysis vulnerability, a poor practice vulnerability and a privacy violation vulnerability.
Preferably, the code scanning engine module identifies a security vulnerability existing in the source code according to a feature corresponding to the security vulnerability type in the scanning process:
the permission inspection loophole detects whether excessive permission is applied, whether the user-defined permission is used and whether the authorization has risk by extracting the permission;
the component analysis loophole analyzes whether the component is externally disclosed, whether the authority is correctly set, whether the attribute is correctly set and whether the authority is covered by listing all components;
the advertisement module analysis vulnerability analyzes the advertisement module vulnerability by extracting all advertisement modules;
the sensitive API analysis vulnerability analyzes the sensitive API vulnerability by enumerating all sensitive APIs and calling a stack;
the third-party component analyzes whether the vulnerability exists in the third-party component used by the vulnerability analysis;
the code injection analysis vulnerability analyzes whether the system has vulnerabilities such as SQL injection, XSS, reflection and dynamic loading to cause code execution;
the information storage analysis vulnerability analyzes whether the position and the mode of information storage are correct or not;
analyzing whether the resources used by the application system are released or not after the resources are used up by analyzing the unreleased analysis vulnerability of the resources;
whether sensitive information leakage analysis vulnerability analysis information is possibly leaked during transmission and storage is judged;
the poor practice vulnerabilities include application enabled debug mode, weak authentication, use of internal APIs, and component lack of permission settings;
the invasion of the privacy vulnerability comprises collection of the privacy information of the user without permission of the user.
Preferably, the code scanning engine module loads the converted virtual intermediate language code into the virtual machine in the code scanning process, and forcibly starts the virtual actuator to run;
the virtual executor dynamically tracks and analyzes the operation-period behavior of the program code in the controlled operation process, so that the program logic can be more comprehensively and accurately understood.
Preferably, the process of the virtual executor dynamically tracking and analyzing the program code is as follows:
the method comprises the following steps: loading the converted virtual intermediate language code into a virtual machine;
step two: searching potential safety risk points existing in the virtual intermediate language codes according to a preset analysis target;
step three: reading the instructions of the method of the potential safety risk points one by one, and simulating data stacking to obtain data flowing into the risk points;
step four: evaluating the obtained data of the inflow risk points, if the data has an unknown part, finding out a source method of the unknown part of the data by a code scanning engine, taking the unknown part as a new potential safety risk point, returning to the step III, completing dynamic analysis of the method until the data properties of all the inflow risk points are determined, and outputting the data obtained by dynamic analysis;
step five: a code analysis engine in the virtual actuator judges whether the data obtained by dynamic analysis can cause real safety problems or not according to a safety scanning rule; and if the real security problem is caused, judging that the source code data has a security vulnerability.
Preferably, the external system integration interface provided by the application presentation layer module comprises an IDE plugin integration interface, a persistent integration tool integration interface and a Bug tracking system integration interface.
Preferably, the application presentation layer module comprises a basic data management module, a code security scanning task management module, a code security scanning report management module and a code scanning engine monitoring module;
the basic data management function module is used for user/account management, product management and authority management, so that users with different authorities can see views suitable for the users, the requirement of safe work is met, and meanwhile, authority control is provided, and sensitive information is prevented from being exposed;
the code security scanning task management module provides two types of scanning tasks, namely instant scanning and periodic scanning, and meets different scene requirements;
the code security scanning report management module is used for checking summary reports, checking detailed reports and downloading reports;
the code scanning engine monitoring module is used for checking the working state of the code scanning engine module and providing necessary information for an administrator to know the system running state and load.
Preferably, the step of creating the source code scanning task by the application presentation layer module is as follows:
adding products through a basic data management function module, inputting product names and selecting scanning file types;
after the items are stored, entering a scanning task list, selecting detailed information of the scanning task, wherein the scanning type is immediate scanning or periodic scanning, the vulnerability level is serious, high-risk, medium-risk and low-risk, configuring a scanning strategy to select all vulnerability types and version numbers of the system, and starting code vulnerability scanning after uploading an APK packet.
Preferably, the scan file types include J2EE and Android.
Preferably, the code security scanning report management module is further used for interactive security vulnerability review and security vulnerability processing state tracking associated with the source code.
Preferably, the working state of the code scanning engine module includes resource occupation conditions such as a task being scanned, a scanning time length, a memory and the like.
Preferably, the data storage module stores two types of data, one type is metadata used by the code security scanning engine module, and the other type is data generated by a user in the process of using the mobile application source code security audit system of code dynamic analysis.
Preferably, the data generated by the user in the mobile application source code security audit system process using code dynamic analysis comprises user information, product information, code security scanning task data and code security scanning reports.
The beneficial effect that this application reached:
1. the method adopts a new generation code security analysis technology-virtual execution, and solves the problems of low efficiency and low accuracy of the first generation and the second generation based on the technologies of pattern matching, data flow/control flow analysis and the like to a certain extent;
2. the method and the device solve a plurality of problems existing in the traditional code safety scanning tool, reduce the labor and time cost wasted on dealing with invalid vulnerabilities, and also reduce the safety risk caused by the fact that the traditional code scanning tool fails to report to a company.
3. The system and the method can be customized according to the actual requirements of the company, the efficiency is further improved, and the code safety level of the company is comprehensively improved at the lowest cost.
Drawings
FIG. 1 is a block diagram of a mobile application source code security audit system based on code dynamic analysis according to the present application;
FIG. 2 is a flow chart illustrating dynamic tracking and analysis of program code by a virtual executor in an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating a code scan analysis performed by the code scan engine module in the embodiment of the present application;
FIG. 4 is a security vulnerability level distribution diagram in an embodiment of the present application;
fig. 5 is a security vulnerability type distribution diagram in the embodiment of the present application.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
As shown in fig. 1, the mobile application source code security audit system based on code dynamic analysis of the present application enables customers to comprehensively improve product security level with lower cost by using clear and readable vulnerability analysis reports, rich statistics, reports and graphical display interfaces, flexible deployment and scanning modes.
The method comprises the following steps: the system comprises a code scanning engine module, an application presentation layer module and a data storage module;
the code scanning engine module is cooperated with the application presentation layer module to realize the planning, the creation, the scanning and the report generation of a code security scanning task;
the application presentation layer module provides an external system integration interface for a front-end interface of the mobile application source code security audit system, and the external system integration interface comprises an IDE plugin integration interface, a continuous integration tool integration interface and a Bug tracking system integration interface;
the data storage module is used for storing data of the mobile application source code security audit system.
In an embodiment, the data storage module stores two types of data, one type is metadata used by the code security scanning engine module, and the other type is data generated by a user in a mobile application source code security audit system process using code dynamic analysis, wherein the data comprises user information, product information, code security scanning task data and a code security scanning report.
The application adopts a modular design, an application display layer, a code scanning engine and data storage can be deployed as independent subsystems, and transverse expansion is realized according to the operating environment and data pressure.
The code scanning engine module is the core for finding potential safety problems from complex codes, the virtual execution technology originally created in the industry is adopted for code analysis and vulnerability mining, and by loading and running a target application program in a special virtual machine, the running period behavior of the program codes is dynamically tracked in the running process, so that the program logic can be more comprehensively and accurately understood. Aiming at a special code analysis engine constructed by security vulnerability mining, the accurate technical details related to security risks are concentrated in the analysis process, and the accuracy of vulnerability mining is greatly improved.
The code scanning engine module comprises a virtual intermediate language code translator, a safety scanning rule module, a virtual executor and a scanning report generator;
the virtual intermediate language code translator is responsible for translating the scanned project/product code into a virtual intermediate language code, simplifying the instruction of the analyzed program in the translation process, only reserving information related to the security vulnerability, and improving the security scanning efficiency and accuracy of the code;
the method and the device define a set of virtual intermediate language by user, convert the analyzed code into the virtual intermediate language code when the code is safely scanned, and then safely scan the translated virtual intermediate language code to find potential safety problems.
The beneficial effect of such design does:
extensions are easily made to support multiple languages-parsing against a virtual intermediate language rather than the language used for project/product development, so that the code scanning engine is free from reliance on a particular development language. When a code scanning engine hopes to add new development language support, theoretically only the translation of the new development language is needed to be realized;
security analysis accuracy-the code scan engine analyzes the code in a dynamic execution manner, and a large amount of security-independent logic contained in the analyzed code affects the accuracy of the final security analysis. The code security scanning engine reasonably simplifies the code when translating the code into the virtual intermediate language and eliminates a plurality of security irrelevant logics, thereby improving the accuracy of security analysis;
the speed of security analysis is improved, because the codes are reasonably simplified when being translated into the virtual intermediate language, and a lot of security irrelevant logics are eliminated, the speed of the security analysis of the codes is greatly improved.
The security scanning rule module is used for defining the characteristics and security scanning rules of different security vulnerability types;
the system is focused on Web security vulnerability scanning, currently supported development languages comprise Java, JSP, C, C + + and the like, more than 40 security vulnerabilities comprising input verification, cryptography, technology, protocol and other related vulnerability types and unsafe programming habits are supported, and basic Web application related security threats are fully covered.
The main security vulnerability types are shown in table 1:
table 1 Android platform major security vulnerability type name and introduction
The code scanning engine module identifies the security vulnerabilities existing in the source codes according to the corresponding features of the security vulnerability types in the scanning process, and the following detailed description is made on the common SQL injection vulnerability scanning detection process as follows:
1) after the scanning detection is started, the virtual code translator translates the scanned item code into a virtual intermediate language code;
2) then the virtual actuator combines the security scanning rule to dynamically analyze and judge the codes one by one, and transmits the SQL parameters to query character strings by GET, POST or Cookie to generate URL requests;
3) a code analysis engine in the virtual actuator judges the result returned by the detection code according to the submitted SQL parameter;
4) a code analysis engine in the virtual actuator judges whether the SQL parameter can be injected in the SQL; if the Payload information of the database can be obtained, a code analysis engine is used for carrying out dynamic analysis to obtain corresponding sensitive data, such as information of a database name, a database user name, a password, a table structure and the like;
5) and finally, generating a corresponding source code security defect audit report by using a scanning report generator.
The virtual executor loads and executes the converted virtual intermediate language code, and potential safety problems are mined according to safety scanning rules;
in the embodiment, the code scanning engine module loads the converted virtual intermediate language code into a virtual machine in the code scanning process, and forcibly starts a virtual actuator to run;
the virtual executor dynamically tracks and analyzes the operation-period behavior of the program code in the controlled operation process, so that the program logic can be more comprehensively and accurately understood.
As shown in FIG. 2, the process of the virtual executor dynamically tracking and analyzing the program code is as follows:
the method comprises the following steps: loading the converted virtual intermediate language code into a virtual machine;
step two: searching potential safety risk points existing in the virtual intermediate language codes according to a preset analysis target;
step three: reading the instructions of the method of the potential safety risk points one by one, and simulating data stacking to obtain data flowing into the risk points;
step four: evaluating the obtained data of the inflow risk points, if the data has an unknown part, finding out a source method of the unknown part of the data by a code scanning engine, taking the unknown part as a new potential safety risk point, returning to the step III, completing dynamic analysis of the method until the data properties of all the inflow risk points are determined, and outputting the data obtained by dynamic analysis, namely the data flowing into the potential risk points;
step five: a code analysis engine in the virtual actuator judges whether the data obtained by dynamic analysis can cause real safety problems or not according to a safety scanning rule; and if the real security problem is caused, judging that the source code data has a security vulnerability.
The scanning report generator classifies, sorts and deduplicates the security problems found in the code analysis process, and grades the security threat level of the found security holes, wherein the security threat level comprises serious, high-risk, medium-risk or low-risk.
The process of the code scanning analysis by the code scanning engine module is shown in fig. 3, and the traditional code scanning tool often needs to modify the compiling, packing script and flow of the project. For the complicated compiling and packaging process of large projects, the work is time-consuming and labor-consuming, errors are easy to occur, and conflicts and confusion between a code scanning environment and a normal project packaging environment are often caused.
In an embodiment, the application presentation layer module comprises a basic data management module, a code security scanning task management module, a code security scanning report management module and a code scanning engine monitoring module;
the basic data management function module is used for user/account management, product management and authority management, so that users with different authorities can see views suitable for the users, the requirement of safe work is met, perfect authority control is provided, and sensitive information is prevented from being exposed;
the code security scanning task management module provides two types of scanning tasks, namely instant scanning and periodic scanning, and meets different scene requirements;
the code security scanning report management module is used for checking a summary report, checking a detailed report and downloading the report, and is also used for checking interactive security vulnerabilities associated with source codes and tracking security vulnerability processing states;
the code scanning engine monitoring module is used for checking the working state (such as a task being scanned, scanning time, memory and other resource occupation conditions) of the code scanning engine module and providing necessary information for an administrator to know the system running state and load.
The code scanning engine module cooperates with the application display layer module to complete the planning, creating, scanning and report generation of the code security scanning task, and the process is as follows:
predefining characteristics and security scanning rules of different security vulnerability types through a security scanning rule module in the code scanning engine module;
after the application display layer module creates a source code scanning task, calling a code scanning engine module;
in the code scanning engine module, a virtual intermediate language code translator translates a virtual code, then a virtual actuator performs scanning detection, the code is dynamically analyzed and judged one by one according to scanning rules, and finally a scanning report generator is used for generating a corresponding source code security defect audit report.
The steps of the application presentation layer module for creating the source code scanning task are as follows:
adding products through a basic data management function module, inputting product names and selecting the type of a scanning file to be J2EE or Android;
after the items are saved, the method enters a scanning task list, selects detailed information of the scanning task, and is very simple and convenient, wherein the scanning type is instant scanning or periodic scanning, the vulnerability level is serious, high-risk, medium-risk and low-risk, the scanning strategy is configured to select all vulnerability types and version numbers of the system, an APK packet is uploaded, and a save button is clicked to start code vulnerability scanning.
The method and the device support the product management function of the application presentation layer to add the product to upload the APK, directly use the existing APK of the Java project to scan, do not need to change the compiling and packaging processes of the application system, save the complicated and error-prone configuration modification and trial process, and are convenient and efficient. If the exact position of the vulnerability in the source code needs to be shown, the user can also upload the source code to a detailed report of a corresponding test item in a 'scanning task list' of the system. The user can set periodic timing scanning according to specific requirements, the scanning speed is high, the accuracy is high, and the method can be flexibly integrated into various software development flows including agile development.
The specific application examples are as follows:
the system performs security audit on source codes of 'intelligent capital construction management and control platform APK' of electric power company of Shandong province in the state of China network in 2019, 10 months and 30 days.
The code scan summary report is shown in table 2:
TABLE 2 code Scan Abstract report
| Application system name | Intelligent capital construction management and control platform APK |
| Scanning type | Instant scanning |
| Product code package name | |
| Scanning vulnerability classes | Severe, high, medium and low risk |
| Scanning strategy | Scanning strategy |
| Engine version number | v2019.02 |
| Scanning start time | 2019-10-30 08:58:37 |
| Duration of scan consumption | 3 minutes and 49 seconds |
| Scanning the total number of documents | 3490 |
| Total number of lines of scanning code | 103265 |
| Total number of discovered bugs | 2249 |
| Number of loopholes above high risk | 1 |
| Degree of completion of scanning | 100.00% |
The security vulnerability level is defined as follows:
the security hole is closely related to the information asset and may be threatened and utilized under certain conditions or environments, thereby causing asset loss. The vulnerability arises for various reasons, such as quality problems during software development, configuration problems for system administrators, and security management issues, and a common feature of these is to provide an attacker with an opportunity to attack the information assets. Referring to international traffic standards and experience, we classified the severity of the vulnerability existing in the asset in this evaluation into 4 grades, which are severity (C), high risk (H), medium risk (M), and low risk (L), respectively, as shown in table 3:
TABLE 3 Security vulnerability level and definition
The security vulnerability level distribution and the security vulnerability type distribution are respectively shown in fig. 4 and fig. 5.
The security vulnerability profile is shown in table 4:
table 4 security vulnerability profiles table
According to the method and the device, whether the application system has the loophole which can be truly utilized by an attacker and the risk caused by the loophole is determined through auditing and evaluating the source code of the project of 'intelligent capital construction management and control platform APK', so that the safety protection level of the project is evaluated, the safety risk is quantified, and a practical basis is provided for making corresponding countermeasures and solutions.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.
Claims (13)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911247159.2A CN111008376B (en) | 2019-12-09 | 2019-12-09 | A mobile application source code security audit system based on code dynamic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911247159.2A CN111008376B (en) | 2019-12-09 | 2019-12-09 | A mobile application source code security audit system based on code dynamic analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111008376A CN111008376A (en) | 2020-04-14 |
| CN111008376B true CN111008376B (en) | 2021-11-05 |
Family
ID=70114071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911247159.2A Active CN111008376B (en) | 2019-12-09 | 2019-12-09 | A mobile application source code security audit system based on code dynamic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111008376B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111611590B (en) * | 2020-05-22 | 2023-10-27 | 支付宝(杭州)信息技术有限公司 | Methods and devices for data security involving applications |
| CN111881456A (en) * | 2020-07-29 | 2020-11-03 | 江苏云从曦和人工智能有限公司 | Security risk management and control method, device, equipment and medium |
| CN111858378A (en) * | 2020-07-30 | 2020-10-30 | 重庆都会信息科技有限公司 | PHP code auditing system |
| CN112269984B (en) * | 2020-09-23 | 2023-07-11 | 江苏三台山数据应用研究院有限公司 | Automatic code audit platform system for guaranteeing source code safety |
| CN112329020A (en) * | 2020-11-05 | 2021-02-05 | 国网江苏省电力有限公司信息通信分公司 | A kind of automatic detection method and device based on power data middle station safety rules |
| CN112511512A (en) * | 2020-11-19 | 2021-03-16 | 北京凌云信安科技有限公司 | Vulnerability scanning engine and risk management system of threat detection engine |
| CN112632546A (en) * | 2020-12-31 | 2021-04-09 | 华数传媒网络有限公司 | Automatic code analysis method for broadcasting and television industry |
| CN113010298A (en) * | 2021-04-29 | 2021-06-22 | 中国工商银行股份有限公司 | Self-diagnosis scheduling method and device for static code scanning tool |
| CN113886823B (en) * | 2021-09-27 | 2025-05-09 | 深圳开源互联网安全技术有限公司 | A source code package vulnerability analysis method, device, terminal and storage medium |
| CN115563617B (en) * | 2022-08-25 | 2025-10-10 | 华北电力科学研究院有限责任公司 | Source code vulnerability detection method and device |
| CN116089262A (en) * | 2022-11-23 | 2023-05-09 | 北京东方通科技股份有限公司 | Code security scanning system and method based on code dynamic analysis |
| CN115795481A (en) * | 2022-12-12 | 2023-03-14 | 深圳供电局有限公司 | A method and system for automatic scanning of electric energy metering software code vulnerabilities |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automated Penetration Testing System and Method for WEB System |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN103793652A (en) * | 2012-10-29 | 2014-05-14 | 广东电网公司信息中心 | Application system code safety scanning device based on static analysis |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN105740135A (en) * | 2014-12-08 | 2016-07-06 | 中国移动通信集团山西有限公司 | Code auditing method and apparatus |
| CN106411578A (en) * | 2016-09-12 | 2017-02-15 | 国网山东省电力公司电力科学研究院 | Website monitoring system and method applicable to power industry |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106713365A (en) * | 2017-02-28 | 2017-05-24 | 郑州云海信息技术有限公司 | Cloud environment-based network security system |
| CN107169360A (en) * | 2017-06-14 | 2017-09-15 | 广东电力发展股份有限公司沙角A电厂 | The detection method and system of a kind of source code security loophole |
| CN107273751A (en) * | 2017-06-21 | 2017-10-20 | 北京计算机技术及应用研究所 | Security breaches based on multi-mode matching find method online |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A cloud security assessment system and method |
| US10498758B1 (en) * | 2017-06-28 | 2019-12-03 | Armis Security Ltd. | Network sensor and method thereof for wireless network vulnerability detection |
| CN110543770A (en) * | 2019-09-02 | 2019-12-06 | 南瑞集团有限公司 | vulnerability detection method, device and system for open source software |
| CN110543422A (en) * | 2019-09-05 | 2019-12-06 | 中国人民解放军国防科技大学 | A software package code defect data processing method, system and medium for FPR |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140032733A1 (en) * | 2011-10-11 | 2014-01-30 | Citrix Systems, Inc. | Policy-Based Application Management |
-
2019
- 2019-12-09 CN CN201911247159.2A patent/CN111008376B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automated Penetration Testing System and Method for WEB System |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN103793652A (en) * | 2012-10-29 | 2014-05-14 | 广东电网公司信息中心 | Application system code safety scanning device based on static analysis |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN105740135A (en) * | 2014-12-08 | 2016-07-06 | 中国移动通信集团山西有限公司 | Code auditing method and apparatus |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106411578A (en) * | 2016-09-12 | 2017-02-15 | 国网山东省电力公司电力科学研究院 | Website monitoring system and method applicable to power industry |
| CN106713365A (en) * | 2017-02-28 | 2017-05-24 | 郑州云海信息技术有限公司 | Cloud environment-based network security system |
| CN107169360A (en) * | 2017-06-14 | 2017-09-15 | 广东电力发展股份有限公司沙角A电厂 | The detection method and system of a kind of source code security loophole |
| CN107273751A (en) * | 2017-06-21 | 2017-10-20 | 北京计算机技术及应用研究所 | Security breaches based on multi-mode matching find method online |
| US10498758B1 (en) * | 2017-06-28 | 2019-12-03 | Armis Security Ltd. | Network sensor and method thereof for wireless network vulnerability detection |
| CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A cloud security assessment system and method |
| CN110543770A (en) * | 2019-09-02 | 2019-12-06 | 南瑞集团有限公司 | vulnerability detection method, device and system for open source software |
| CN110543422A (en) * | 2019-09-05 | 2019-12-06 | 中国人民解放军国防科技大学 | A software package code defect data processing method, system and medium for FPR |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111008376A (en) | 2020-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111008376B (en) | A mobile application source code security audit system based on code dynamic analysis | |
| US11748487B2 (en) | Detecting a potential security leak by a microservice | |
| US7284274B1 (en) | System and method for identifying and eliminating vulnerabilities in computer software applications | |
| US9286063B2 (en) | Methods and systems for providing feedback and suggested programming methods | |
| Autili et al. | Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoption | |
| Tung et al. | An integrated security testing framework for secure software development life cycle | |
| CN109446053A (en) | Test method, computer readable storage medium and the terminal of application program | |
| Micskei et al. | Robustness testing techniques and tools | |
| Auricchio et al. | An automated approach to web offensive security | |
| CN117499104A (en) | Supply chain safety management and control methods, devices and safety management and control systems | |
| Ferrara et al. | Static privacy analysis by flow reconstruction of tainted data | |
| CN111309589A (en) | Code security scanning system and method based on code dynamic analysis | |
| Chen et al. | A selenium-based web application automation test framework | |
| US20250278251A1 (en) | Code generation platform with application security testing | |
| Zhao et al. | Automated fuzz generators for high-coverage tests based on program branch predications | |
| Berger et al. | An android security case study with bauhaus | |
| Li et al. | Enhancing smart contract security comprehensively through dynamic symbolic execution | |
| Zhioua et al. | Framework for the formal specification and verification of security guidelines | |
| Zhioua et al. | Formal specification and verification of security guidelines | |
| Ziro et al. | Improved Method for Penetration Testing of Web Applications. | |
| Sodanil et al. | A knowledge transfer framework for secure coding practices | |
| Sundararaj et al. | Challenges in IT Security Processes and Solution Approaches with Process Mining | |
| CN119961941B (en) | A method and device for constructing a 0DAY vulnerability detection model based on an AI big model | |
| Mittal | Explainable AI-Augmented DevSecOps for Secure and Reproducible Cloud-Native Research Software | |
| Al Faisal et al. | Securing Silicon: A Scalable, Platform-independent Hardware Security Verification Methodology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |