Network information security
Network information security is an important issue related to national security, social stability, and the inheritance and promotion of national culture. Its importance is becoming increasingly significant with the acceleration of global informatization. Network information security refers to the protection of the hardware, software and data within a network information system from malicious attacks and penetrations that could lead to information leakage, ensuring the continuous, reliable and normal operation of the system and the uninterrupted provision of network services. In essence, information security refers to the security of information on the network. In a broad sense, all technologies and theories related to the confidentiality, integrity, availability, authenticity and controllability of information on the network fall within the research field of network security. From the perspective of network operation and management, they hope that operations such as accessing, reading and writing local network information are protected and controlled to avoid threats such as "trapdoor", viruses, illegal access, denial of service, and illegal occupation and control of network resources, and to stop and defend against attacks by network hackers. For information security and confidentiality departments, they hope to filter and block illegal, harmful or information involving state secrets, prevent the leakage of confidential information, avoid causing harm to society and huge losses to the country. From the perspectives of social education and ideology, unhealthy content on the Internet can pose obstacles to social stability and human development, and it must be controlled.

Network information security is becoming increasingly important to us. It is not only related to national security and enterprise security, but also closely related to our lives. In our daily life, various shopping apps, payment apps, mobile banking, smart devices, home interconnection devices, etc. all have a crucial impact on us at all times. Once these facilities are exposed to vulnerabilities, they will be exploited by lawbreakers. It causes irreparable economic losses to the country and enterprises and even threatens national defense security.
CNAS Qualification Information Security Assessment Report
Among the objects of CNAS qualification testing by the National Accreditation Service for Conformity Assessment, software products include basic software, development support software, general application software, and industry application software. Information security is included in the testing parameters. Information security falls under "Systems and Software Engineering - Quality Requirements and Evaluation of Systems and Software (SQuaRE) - Part 51: Quality Requirements and Test Details for ready-to-use Software Products (RUSP)" GB/T 25000.51-2016 5.3.6, indicating that the laboratory has conducted tests on the test itemSecurity Vulnerability ScanSubsequently, the "CNAS Qualification Information Security Evaluation Report" issued was recognized by the National Accreditation Service, and the report can be used for expert group review.
What does information security assessment include
Application security
Identity verification
Enable the application system identity authentication function and provide a unique check function for user identity identifiers to ensure that there are no duplicate user identity identifiers in the application system and that identity verification information is not easily misused. The password length for the administrator account must be at least 8 characters. The password must consist of characters (a-z, A-Z), numbers (0-9), and symbols (~!). At least two of the @#$%^&*()_<> should be selected for combination. The password for a regular account should be at least 6 digits long and consist of non-pure numbers or letters. Password verification is implemented in the database stored procedure.
It has the function of handling login failures.
It has the function of limiting the number of illegal logins.
Set the user login connection timeout and automatically exit.
Access Control
The application authorizes users to set permissions for accessing and operating program functions and user data.
Implement the separation of permissions for privileged users of applications and allocate management and auditing permissions to different application users.
Permission separation adopts the principle of minimum authorization, granting different users the minimum permissions they need to complete the tasks they undertake respectively.
Restrict the access rights of anonymous users.
Security Audit
Security audits cover every user of the application.
Security audits record important security-related events of the application, including significant user behaviors, abnormal use of system resources, and execution of important program functions, etc.
Records of security-related events include date and time, type, subject identification, object identification, and the outcome of the event, etc.
Security audits can analyze recorded data and generate audit reports.
Communication integrityThe two communicating parties use the agreed cryptographic algorithm to calculate the message verification code of the communication data message. During communication, both parties determine the validity of the other party's message based on the verification code.
Communication confidentiality
When one of the communicating parties does not respond for a period of time, the other party can automatically end the conversation.
Before the two communicating parties establish a session, the session initialization verification is carried out by using cryptographic technology.
During the communication process, the entire message or session process is encrypted.
Software fault tolerance
Conduct validity checks on the input data.
It provides a fallback function, that is, it allows fallback according to the sequence of operations.
Resource control
Limit multiple concurrent sessions for a single user.
Limit the maximum number of concurrent session connections for the application.
Limit the number of possible concurrent session connections within a certain period of time.
It is prohibited for the same user account to log in concurrently at the same time.
Code quality
Strictly limit the access rights of Web directories to avoid path traversal attacks.
When providing the download function, it is necessary to strictly limit the path for users to download files to prevent them from illegally downloading other files of the application system.

Vulnerability scanning
SQL Injection
There are no SQL, OS or LDAP injection vulnerabilities.
Failed identity authentication and session management
There are no failed identity authentication or session management vulnerabilities.
Cross-site Scripting (XSS
There is no cross-site scripting (XSS) vulnerability.
Unsafe direct object references
There are no vulnerabilities in unsafe direct object references.
Security configuration error
There are no security configuration error vulnerabilities.
Leakage of sensitive information
There is no vulnerability for the leakage of sensitive information.
Functional-level access control is missing
There is no vulnerability of missing functional-level access control.
Cross-site Request Forgery (CSRF
There is no cross-site request forgery (CSRF) vulnerability.
Use components containing known vulnerabilities
There is no vulnerability in using components with known vulnerabilities.
Unverified redirection and forwarding
There are no unverified redirection and forwarding vulnerabilities.
Business Process
I. Business Stage
The client can submit the software evaluation requirements via wechat, QQ, phone, etc
2. Our company's representative will conduct a preliminary analysis of the software's testability based on the evaluation requirements provided by the client
3. The client shall fill in the "Application Form for Entrusted Testing".
4. Our company's representative will provide the "Quotation for Entrusted Testing" to the client.
5. Both parties reach a consensus and sign the "Entrusted Testing Contract and Confidentiality Agreement".
Ii. Implementation Stage
Our company's technical personnel communicated with the technical personnel of the client's unit about the implementation plan and carried out the software evaluation and implementation work
2. Our company's technicians will provide the client with a list of software defects
After the client modifies the software defect, our technicians will conduct regression testing
Iii. Delivery Stage
Our technicians analyzed the test results, put forward reasonable optimization suggestions and risk avoidance methods
2. Our company's technical personnel have compiled the "CNAS Qualification Information Security Evaluation Report", which is also known as the CNAS evaluation report
3. Review the "Information Security Assessment Report
4. Affix the seal on the "Information Security Assessment Report" and finally deliver the report
The materials provided
Test application form
2. A list of system functions consistent with the application form
3. A user manual consistent with the application form
4. Task books, contract books, application materials, etc
Constraint conditions
Sign the "Software Testing Entrustment Contract" and the "Confidentiality Agreement
Test cycle
The "CNAS Qualification Information Security Assessment Report" will be issued within 3 to 10 working days
Service area
Software evaluation reports from regions such as Beijing, Shanghai, Tianjin, Chongqing, Liaoning Province, Heilongjiang Province, Jilin Province, Guangdong Province, Hainan Province, Fujian Province, Hunan Province, Sichuan Province, Chongqing Municipality, Guizhou Province, Yunnan Province, Guangxi Province, Hubei Province, Henan Province, Shandong Province, Gansu Province, Xinjiang Province, Xizang Autonomous Region, Hebei Province, Shaanxi Province, Shanxi Province, Zhejiang Province, and Jiangsu Province.
