The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Evaluation Methodology of Diagnostic Tool for Security Weakness of e-GOV Software

전자정부 소프트웨어의 보안약점 진단도구 평가방법론

  • 방지호 (홍익대학교 컴퓨터공학과 실시간시스템 연구실) ;
  • 하란 (홍익대학교 컴퓨터공학과 실시간시스템 연구실)
  • Received : 2013.01.25
  • Accepted : 2013.04.09
  • Published : 2013.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

If the SW weaknesses, which are the main cause of cyber breaches, are analyzed and removed in the SW development stages, the cyber breaches can be prevented effectively. In case of Domestic, removing SW weaknesses by applying Secure SDLC(SW Development Life Cycle) has become mandatory. In order to analyze and remove the SW weaknesses effectively, reliable SW weakness diagnostic tools are required. Therefore, we propose the functional requirements of diagnostic tool which is suitable for the domestic environment and the evaluation methodology which can assure the reliability of the diagnostic tools. Then, to analyze the effectiveness of the proposed evaluation framework, both demonstration results and process are presented.

SW 개발단계에서 사이버침해사고의 주요 원인인 SW 보안약점을 진단하여 제거하면 사이버침해사고를 효과적으로 예방할 수 있다. 국내의 경우, SW 개발보안 적용이 의무화되어 SW 보안약점을 제거하는 것이 필수사항이 되었다. 효과적으로 SW 보안약점을 진단하여 제거하기 위해서는 신뢰된 SW 보안약점 진단도구의 도움이 필요하다. 따라서, 본 논문은 국내환경에 적합한 진단도구 기능 요구사항과 진단도구의 신뢰성을 보증할 수 있는 평가방법론을 제안한다. 그리고, 제안된 평가체계의 효과를 분석하기 위한 시범 적용한 결과 및 절차를 제시한다.

Keywords

References

  1. MOPAS, "A guide to secure software development," Publication No.11-1311000-00030-10, Retrieved May 2012, from http://www.mopas.go.kr
  2. P. E. Black, M. Kass, M. Koo, and E. Fong, "Source code security analysis tool functional specification version 1.1," NIST Special Publication 500-268, Feb. 2011.
  3. MOPAS, "Guidelines on building and operating Information Systems," MOPAS Notification No.2012-25, June 2012
  4. G. Tassey, "The economic impacts of inadequate infrastructure for software testing," NIST, May 2002.
  5. Microsoft, Inc., SDL helps build more secure software, retrieved Apr., 12, 2013, from http://www.microsoft.com/security/sdl/learn/measurable.aspx
  6. B. Chess and C. McGraw, "Static analysis for security," IEEE Security & Privacy, vol. 2, no. 6, pp. 76-79, Nov.-Dec. 2004
  7. M. Johns and M. Jodeit, "Scanstud: a methodology for systematic, fine-grained evaluation of static analysis tools," in Proc. IEEE 4th ICSTW, pp. 523-530, Berlin, Germany, Mar. 2011
  8. T. Hofer, "Evaluation static source code analysis tools," M.S. Thesis, School Compt. Commun. Sci., Ecole Polytechnique Federale de Lausanne, Mar. 2010
  9. R. K. McLean, "Comparing static security analysis tools using open source software," IEEE 6th Int. Conf. SW Security Reliability Companion (SERE-C), pp. 68-74, Gaithersburg, U.S.A., June 2012.
  10. NIST, "Source code security analysis tool test plan Version 1.1," NIST Special Publication 500-270, July 2011
  11. MITRE, Comon Weakness Enumeration V2.4, Retrieved Feb., 21, 2013, from http://cwe.mitre.org.
  12. MITRE, Common Vulnerabilities and Exposures, Retrieved June, 20, 2012, from http://cve.mitre.org.
  13. OWASP, OWASP Top Ten 2013 rc1, Retrieved Feb. 2013, from http://www.owasp.org.
  14. J. Bang, R. Ha, J. Park, and P. Kang, "Minimum standard of weakness in development of reliable e-GOV software," in Proc. KICS Int. Conf. Commun. (KICS ICC 2012), vol. 48, pp. 127-128, Jeju Island, Korea, June 2012
  15. NIST, Juliet Test Suite, Retrived Apr., 13, 2013, from http://samate.nist.gov/SRD/testsuite.php