Can the information security in the national standard GB-T 25000-2016 be tested in accordance with the national standard GB/T 22239-2019?

Conclusion

Yes, the information in GB/T 25000.51-2016Security TestingIt can be partially carried out in accordance with GB/T 22239-2019, but the specific requirements and test scope of both need to be combined.

软件测试国家标准25000.51

1. Standard relevance

  • GB/T 25000.51-2016The (Information Security Section) clearly stipulates that software products must comply with relevant standards and regulations, among whichGB/T 22239-2019The basic requirements for Cybersecurity level protection are one of the important reference bases.

  • GB/T 22239-2019As the core standard of the cybersecurity classification protection, it covers technical and management requirements such as secure physical environment, secure communication network, secure computing environment, and secure management center, and is in line with the information of GB/T 25000.51Security TestingThe content is highly overlapping.

2.Comparison of test contents

GB/T 25000.51-2016 Key Points for Information Security Testing

  • Confidentiality:

    • Check whether the data transmission and storage are encrypted (such as 3DES, AES).

    • The verification of account permissions follows the principle of least privilege.

  • Integrity:

    • Verify the integrity of data transmission and storage (such as hash algorithms, database constraints).

    • Ensure transaction atomicity and prevent data inconsistency.

  • Non-repudiation:

    • The immutability of audit logs.

    • Key operations adopt digital signatures.

  • Verifiability:

    • The audit log covers all user operations and records information such as the event date, time, and initiator.

  • Authenticity:

    • Identity verification mechanisms (such as two-factor authentication, password complexity requirements).

  • Compliance:

    • Verify whether the software complies with industry standards such as GB/T 22239.

Information Security Classification Protection GBT22239-2019

Key Requirements of GB/T 22239-2019

  • Secure computing environment:

    • Identity verification: Two or more verification methods are required, and the number of login failures is limited.

    • Access control: Least Privilege principle, permission separation.

    • Data integrity: Verification techniques (such as CRC, hash algorithms).

    • Non-repudiation: Audit log protection, digital signature.

  • Secure communication network:

    • Data transmission integrity verification.

    • Encryption technology (such as SSL/TLS).

Overlapping content

GB25000与GB22239相同内容


Different contents

GB25000与GB22239不通内容


3.The feasibility of the test basis

  • Technical implementation level:

    • In GB/T 22239-2019, regardingIdentity verification, data encryption, audit log, integrity checkThe requirements can be directly applied to the test of GB/T 25000.51.

    • For example, the confidentiality test of GB/T 25000.51 can refer to the requirements of GB/T 22239 for encryption algorithms and key management.

  • Management requirements level:

    • GB/T 22239 includes management requirements such as the safety management center and safety regulations, while GB/T 25000.51 focuses more on technical verification. Therefore, the management part needs to be tested separately.

  • Differences and Supplements:

    • GB/T 25000.51 emphasizesSoftware product function verification(Such as user permission allocation, session management), while GB/T 22239 focuses onSystem-level security protection(Such as network architecture, physical environment)

    • When testing, GB/T 25000.51 should be combinedCompliance ClauseVerify whether the software complies with the specific technical requirements of GB/T 22239.

4.Implementation suggestions

  1. Test case design:

    • Refer to the technical provisions related to information security in GB/T 22239 (such as identity authentication, data encryption, and audit logs).

    • Supplement the specific test items of GB/T 25000.51 (such as software permission allocation, session management).

  2. Tools and Methods:

    • Use vulnerability scanning tools (such as Nessus) to check for unauthorized access vulnerabilities.

    • Verify data encryption and integrity through protocol analysis tools such as Wireshark.

  3. Compliance verification:

    • Compare with the level protection requirements of GB/T 22239 (such as Level 2 and Level 3) to confirm whether the software meets the corresponding security functions.

Information of GB/T 25000.51-2016Security TestingCan bePartly in accordance with GB/T 22239-2019Carry it out, especially at the technical implementation level (such as encryption, identity authentication, and audit logs). However, attention should be paid to the differences in emphasis between the two to ensure full coverage of the six sub-characteristics (confidentiality, integrity, non-repudiation, verifiability, authenticity, and compliance) stipulated in GB/T 25000.51. It is recommended to design test cases in combination with the specific requirements of the two standards to achieve comprehensive verification.

Related article recommendations

National Standard for Software Testing GB/T 25000.51-2016

【 Standard 】 Summary Introduction of GB/T 25000.51-2016 National Standard


Related articles