소프트웨어 생명주기에서의 설계문서에 대한 보안성 체크리스트

  • 손경호 (한국정보보호진흥원) ;
  • 김승주 (성균관대학교 정보통신공학부) ;
  • 원동호 (성균관대학교 정보통신공학부)
  • Published : 2006.08.01

Abstract

본 논문에서는 소프트웨어 개발 프로세스에서 보안성을 향상시키기 위해, 소프트웨어 개발단계에서 산출되는 문서를 바탕으로 내재되어 있는 취약성을 찾기 위한 체크리스트를 제안한다. 현재 소프트웨어 생명주기내에서 보안성을 지키기 위해서는 설계단계에서의 위험분석 이 요구되며, 이를 확인하기 위한 검증단계가 필수적이다. 따라서, 본고에서는 취약성을 찾는 구체적인 방법으로 ISO/IEC 15408(Common Criteria, 이하 CC)[1]기준의 보안성 평가방법론인 CEM[2]에 기반한 취약성검색을 통해 소프트웨어 설계단계에서 산출되는 개발문서에 대해 검증해야 할 항목을 제시한다.

Keywords

References

  1. 'Common Criteria for Information Technology Security Evaluation Version 2.3,' Aug. 2005, http://www.commoncriteriaportal.org/public/expert/index. php?menu=2
  2. International IT Security Evaluation Community, 'Common Evaluation Methodology 2.3', Aug. 2005
  3. C. Mann, 'Why Software Is so Bad,' Technology Review (July/August 2002)
  4. 'Hold developers liable for flaws' By Tom Espiner, ZDNet (UK)
  5. 'IT839전략의 안전한 실현을 위한 소프트웨어 보안표준', 김홍근, 정보통신표준화 논문, TTA
  6. Improving Security Across The Software Development Life cycle, Task force Report, April 2004, (http://www.cyberpartnership.org)
  7. Herbsleb, J. et al. 'Benefits of CMMBased Software Process Improvement: Initial Results.' CMU/SEI-94-TR-013, Software Engineering Institute, Carnegie Mellon University, 1994
  8. Goldenson, Dennis R. and Gibson, Diane L. 'Demonstrating the Impact and Benefits of CMMI', Special Report CMU/SEI-2003-SR-009, The Software Engineering Institute, Carnegie Mellon University, 2003
  9. Jones, Capers. Software Assessments, Benchmarks, and Best Practices, Reading, MA: Addison-Wesley, 2000
  10. Hayes, W. and J. W. Over, 'The Personal Software Process (PSP): An Empirical Study of the Impact of PSP on Individual Engineers.' CMU/SEI- 97-TR-001, ADA335543. Pittsburgh, PA: The Software Engineering Institute, Carnegie Mellon University, 1997
  11. Davis, Noopur, and Mullaney, Julia, 'The Team Software Process in Practice: A Summary of Recent Results,' Technical Report CMU/SEI-2003-TR-014, September 2003
  12. Jones, Capers. Software Assessments, Benchmarks, and Best Practices, Reading, MA: Addison-Wesley, 2000
  13. Gary McGraw and Greg Morrisett, 'Attacking Malicious Code: A report to the Infosec Research Council', submitted to IEEE Software and presented to the Infosec Research Council. http://www.cigital.com/~gem/malcode.pdf [McGraw 2004] McGraw, Gary, 'Software Security', IEEE Security and Privacy, to appear March 2004
  14. IEEE P1074-2005:Roadmap for Optimizing Security in the System and Software Life Cycle ${\copyright}$ Bar Biszick-Lockwood/QualityIT Redmond, WA 2005
  15. ISO/IEC 12207 Software Life Cycle Processes http://www.12207.com/
  16. Howard, M., and S. Lipner, 'Inside the Windows Security Push,' IEEE Security & Privacy, vol.1, no. 1, 2003, pp. 57-61. and MicroSoft page, http://blogs.msdn.com/michael_howard/ https://doi.org/10.1109/MSECP.2003.1176996
  17. Bar Biszick-Lockwood, IT Quality and Security Assurance, 'Framework Solution for Life Cycle Security'
  18. D. Gilliam, J. Kelly, M. Bishop, 'Reducing Software Security Risk Through an Integrated Approach,' Proc. of the Ninth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (June, 2000), Gaithersburg, MD, pp.141-146
  19. Hall, Anthony, and Roderick Chapman, Correctness by Construction: Developing a Commercial Secure System, IEEE Software, January/February 2002, pp.18-25
  20. Neumann, Peter, Principles Assuredly Trustworthy Composable Architectures: (Emerging Draft of the) Final Report, December 2003