DOI QR코드

DOI QR Code

Cost-Effective and Active Security Verification Framework for Web Application Vulnerabilities

웹 애플리케이션 취약점 분석을 위한 비용 효과적인 능동 보안 검수 프레임워크

  • 한경현 (홍익대학교 전자전산공학과) ;
  • ;
  • 조훈 (한국과학기술원 전산학과) ;
  • 황성운 (홍익대학교 컴퓨터정보통신공학과) ;
  • 임채호 (한국과학기술원 전산학과)
  • Received : 2016.03.30
  • Accepted : 2016.07.25
  • Published : 2016.08.31

Abstract

Many companies have struggled to manage Web vulnerabilities and security incidents have also frequently happened. The current inspection methods are mainly based on the OWASP vulnerabilities. In practice, however, it is very difficult to cope with frequent changes of Web applications. In this paper, we first investigate the existing quantification of Web application vulnerabilities and verification process. Then we propose an improved inspection framework which is focused on removing essential and realistic vulnerabilities and active verification process.

Acknowledgement

Grant : 전자 영수증 처리, 분석시스템

Supported by : 정보통신기술진흥센터

References

  1. 박태훈, "허술한 관리로 개인정보 해킹당한 '뽐뿌', 과징금 1억 1700만원" [Internet], http://www.segye.com/content/html/2015/11/20/20151120002048.html.
  2. 김민석, "'뽐뿌 해킹은 웹 취약점 DB 공격'... 200만 개인정보 털린 이유 밝혀져" [Internet], http://news.kukinews.com/article/view.asp?arcid=0009977886&code=41151111&cp=nv.
  3. 한국인터넷진흥원(KISA), "Mass SQL Injection 피해 DB 복구 방안," 2009.
  4. 전상훈, "웹 보안성 검수방법론," 2007.
  5. Amrit T. Williams, Neil MacDonald, "Organizations Should Implement Web Application Security Scanning," Gatner, 2005.
  6. 윤재섭, "현대캐피탈 사태 사고 예방 소홀한 '인재', 금감원 임직원 책임 묻기로" [Internet], http://ruliweb.daum.net/news/view/MD20110518193210260.daum.
  7. 한국일보, "현대캐피탈 해킹 어떻게 이루어졌을까," 2011.
  8. Sungyoung Cho, Suyeon Yoo, Sang-hun Jeon, Chae-ho Lim, and Sehun Kim, "A Web application vulnerability scoring framework by categorizing vulnerabilities according to privilege acquisition," Journal of The Korea Institute of Information Security and Cryptology, Vol.22, No.3, pp.601-613, 2012.
  9. NIST, "Information security handbook: a guide for managers," The National Institute of Standards and Technology, p.19, 2006.
  10. FIRST, "Common Vulnerability Scoring System" [Internet], http://www.first.org/cvss/.
  11. P. Mell, K. Scarfone, and S. Romanosky, "Common Vulnerability Scoring System," IEEE Security & Privacy, Vol.4, No.6, pp.85-89, 2006. https://doi.org/10.1109/MSP.2006.145
  12. 김태형, "사이버전 무기 '악성코드' 감염 방지대책" [Internet], http://www.boannews.com/media/view.asp?idx=49835&kind=3.
  13. 빈꿈, "개발자 임금은 'SW 기술자 노임 단가'보다 훨씬 적다" [Internet], http://emptydream.tistory.com/3640.
  14. Bob Martin, "Common Wejavascript:addIndiv('vo', '3');akness Scoring System (CWSS)" [Internet], http://cwe.mitre.org/cwss.