Main site
Classification
loopholes
tool
Geeks
Web security
system security
cyber security
wireless security
Device/Client Security
Data Security
Security management
Enterprise security
Industrial control safety
feature
headlines
Characters
Activity
video
View
recruitment
Report
Information
Blockchain security
Standards and Compliance
Container security
Public class
Official public accountEnterprise securitySina Weibo
FreeBuf.COM, the network security industry portal, publishes professional security information and technical analysis every day.
FreeBuf+ applet
Recently, the National Network Security Standardization Technical Committee issued the “Cybersecurity Technology Network Security Crowd Testing Service Requirements” (GB/T 43741-2024, hereinafter referred to as the “Crowd Testing Service Requirements”), which will be officially implemented on November 1, 2024.
“Crowd Testing Service Requirements” establishes the roles and responsibilities of network security crowd testing services, describes the service process, and stipulates service requirements; it is applicable to crowd testing demanders, crowd testing organizers, authorized testers and crowd testing auditors in Used when conducting network security public testing services.
“Crowd Testing Service Requirements” is issued by the National Computer Network Emergency Technology Coordination Center, China Electronics Technology Standardization Institute, National Information Technology Security Research Center, Alibaba Cloud Computing Co., Ltd., Qi'anxin Netshen Information Technology (Beijing) Co., Ltd., China Mobile Communications Group Co., Ltd., the Institute of Software of the Chinese Academy of Sciences, Shanghai Douxiang Information Technology Co., Ltd. and other units and enterprises jointly compiled it to further promote the development of the public testing service industry.
There are currently a large number of network security practitioners in China. Most of them are engaged in technical or management work such as security protection in network security companies or industries with strong demand for security. Some of them are engaged in sabotage including the development of hacking tools, illegal intrusions, and extortion. Network security activities are profit-making. How to guide these personnel in the direction of white hats and make full use of their technologies to help companies discover website vulnerabilities and assist companies in solving security risks is a new direction.
At the same time, as a booming network security industry application, network security public testing has strong application demand in many important industry fields such as finance, communications, industry, etc. Promoting its standardization will help promote industry standardization and prosperity.
Due to the lack of effective management of network security crowd testing services and the lack of attention to the security of crowd testing services, the current network security crowd testing services have security risks in service processes, personnel management, platform security, etc., which may lead to information leakage , uncontrollable behavior of testers, and new security risks such as vulnerability trading.
Therefore, it is necessary to organize the formulation of unified national standards based on relevant industry practices.
The “Crowd Testing Service Requirements” further standardizes the security responsibilities, service processes and requirements of the roles involved in network security crowd testing services. This standard is applicable to the public testing demand parties, public testing organizers, authorized testers and public testing auditors in the process of network security public testing services when carrying out network security public testing services.
The main contents include:
(1) The definition and service process of network security public testing services;
(2) Possible security risks in network security crowd testing services;
(3) All relevant parties of the network security crowd testing service (crowd testing demander, crowd testing organizer, authorized test party, crowd testing auditor), the interactive relationship between the relevant parties during the implementation of the crowd testing project, and the interaction between the relevant parties responsibilities;
(4) Requirements that all relevant parties should follow during the preparation, implementation, and post-processing stages of network security crowd testing services; in the post-processing stage, the crowd testing service results are delivered as security crowd testing reports and security audit reports, and security crowd testing reports The content includes but is not limited to: security test objects, test time, testers, overall security situation analysis of test objects, vulnerability distribution and analysis, vulnerability information, vulnerability repair suggestions, security protection suggestions, etc. The content of the security audit report includes but is not limited to testing Scope, test time, testers, audit content, audit results, etc.;
(5) Security requirements for network security public testing service platforms, including user data isolation requirements, database reinforcement requirements, identity authentication requirements, access control requirements, etc.;
(6) Network security public testing service platform function reference;
(7) Code of conduct for authorized testing parties, used to regulate the behavior of authorized testing parties.
This article is Independent point of view, no reproduction without permission, please contact FreeBuf customer service XiaoBee for authorization, WeChat: freebee2022
GIPHY App Key not set. Please check settings