DOI QR코드

DOI QR Code

웹 응용 보안을 위한 객체지향 분석·설계 방법론

An Object-Oriented Analysis and Design Methodology for Security of Web Applications

  • Joo, Kyung-Soo (Dept. of Computer Software Engineering, SoonChunHyang University) ;
  • Woo, Jung-Woong (Dept. of Computer Software Engineering, SoonChunHyang University)
  • 투고 : 2013.04.08
  • 심사 : 2013.07.11
  • 발행 : 2013.08.31

초록

요즘 웹을 이용하여 많은 일들이 처리되고 있다. 이에 따라 다양하고 복잡한 기능을 가진 웹 기반의 응용 시스템들이 요구되고 있다. 이러한 웹 기반의 응용 시스템들을 효율적으로 개발하기 위하여 객체지향 분석 설계 방법론을 사용하고 있으며, 그 구현을 위하여 Java EE(Java Platform, Enterprise Edition) 기반의 기술들이 사용되기도 한다. 이렇게 개발된 웹 기반의 응용 시스템을 통해 많은 일들을 처리하면서 점차 보안과 관련된 이슈들이 중요해졌다. 이를 위하여 Java EE는 보안과 관련된 메커니즘을 제공하고 있지만, 효율적인 웹 응용 시스템을 개발하기 위한 객체지향 분석 설계 방법론과의 상호 연관성은 제공하지 못하고 있다. 이에 따라 Java EE 메커니즘에 따른 보안 방안은 개발 마지막 단계에서 비로소 구현되기 때문에, 요구사항 분석부터 구현에 이르기까지 시스템 개발 전 주기에 따른 일관된 보안 적용은 어려운 실정이다. 따라서 본 논문에서는 요구사항 분석부터 구현에 이르기까지, 보안이 강조된 '안전한 웹 응용 시스템을 위한 객체지향 분석 설계 방법론'을 제안한다. 제안한 객체지향 분석 설계 방법론은 보안에 관한 요구사항 분석과 시스템 분석 및 설계를 위하여 보안이 강조된 모델링 언어인 UMLsec을 사용하고, 그 구현을 위해서 Java EE 기반 기술 중 서블릿의 역할기반 접근제어(RBAC: Role Based Access Control)를 이용한다. 아울러 본 '웹 응용 보안을 위한 객체지향 분석 설계 방법론'을 온라인 뱅킹 시스템 개발에 적용하여 그 효율성을 확인하였다.

Nowadays many tasks are performed using the Web. Accordingly, many web-based application systems with various and complicated functions are being requested. In order to develop such web-based application systems efficiently, object-oriented analysis and design methodology is used, and Java EE(Java Platform, Enterprise Edition) technologies are used for its implementation. The security issues have become increasingly important. For such reasons, Java EE provides mechanism related to security but it does not provide interconnections with object-oriented analysis and design methodology for developing web application system. Consequently, since the security method by Java EE mechanism is implemented at the last step only, it is difficult to apply constant security during the whole process of system development from the requirement analysis to implementation. Therefore, this paper suggests an object-oriented analysis and design methodology emphasized in the security for secure web application systems from the requirement analysis to implementation. The object-oriented analysis and design methodology adopts UMLsec, the modeling language with an emphasis on security for the requirement analysis and system analysis & design with regard to security. And for its implementation, RBAC (Role Based Access Control) of servlet from Java EE technologies is used. Also, the object-oriented analysis and design methodology for the secure web application is applied to online banking system in order to prove its effectiveness.

키워드

참고문헌

  1. Brett D. McLaughlin, Gary Pollice, David West, "Head First Object Oriented Analysis & Design", pp.96-103, Hanbit Media. Inc, 2007.
  2. Han Jeong-Su, Kim Gwi-Jeong, Song Yeong-Jae, "Introduction to UML : Object-Oriented Design as in a friendly learning", Hanbit Media. Inc, pp. 58-66, 2009.
  3. Joo Kyung-Soo, Woo Jung-Woong, "A Development of the Unified Object-Oriented Analysis and Design Methodology for Security-Critical Web Applications Based on Object-Relational Data-Forcusing on Oracle 11g-", Korea Society of Computer Infomation, Vol. 17, No. 12, pp. 169-177, 2012. https://doi.org/10.9708/jksci/2012.17.12.169
  4. Eduardo Fernandez-Medinaa, Juan Trujillob, Rodolfo Villarroelc and Mario Piattinia, "Developing secure data warehouses with a UML extension", Journal Information Systems archive, vol. 32 No. 6, pp.826-856, 2007. https://doi.org/10.1016/j.is.2006.07.003
  5. G.Popp, J. Jurjens, G.Wimmel, R. Breu, "Security-Critical System Development with Extended Use Case", Asia-Pacific Software Engineering Conference, 5-1 self, 2003.
  6. Madan, s, "security Standards Perspective to Fortify Web Database Applications From Code Injection Attacks", International Conference on Intelligent Systems, Modelling and Simulation(ISMS), vol. 10, pp. 226-230, 2010.
  7. lqra Basharat, Farooque Anam, Abdul Wahab Muzaffar, "Database Security and Encryption: A Survey Study", International Journal of Computer Application, vol. 47, No. 12, pp28-34, 2012
  8. Cho Wan-Su, "UML 2 & UP Object-Oriented Analysis&design", pp.189-205, Hongrung Publishing Company, 2005.
  9. David Basin, Jugen Doser and Torsten Lodderstedt, "Model Driven Security: from UML Models to Access Control Infrastructures", ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 15 No. 1, pp39-91, 2006 https://doi.org/10.1145/1125808.1125810
  10. OWASP TOP 10, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  11. Certification : protect of on-line banking, http://www.tekbar.net/ko/network-knowledge/two-factor-authentication-the-protection-of.html
  12. Jeon Byeong-Seon, "CBD, WHAT&HOW", Wowbooks, pp. 189-205, 2005.
  13. R. Matulevicius, M. Dumas, "Towards Model Transformation between SecureUML and UMLsec for Role-based Access Control", IEEE, DB&IS, pp.339-352, 2010.
  14. Denis Hatebur, Maritta Heisel, Jan Jurjens, Holger Schmidt, "Systematic Development of UMLsec Design Models Based on Security Requirements", Lecture Notes in computer Science, Vol. 6603, pp.232-246, 2011. https://doi.org/10.1007/978-3-642-19811-3_17
  15. Salim Chehida, Mustapha kamel Rahmouni, "Security Requirements Analysis of Web Applications using UML", ICWIT, Vol. 867, pp.232-239, 2012.
  16. Kathy Sierra, Bert Bates, Bryan Basham, "Head First Servlet & JSP", pp.683-721, Hanbit Media. Inc, 2009.
  17. Chae Heung-Seok, Object-oriented CDB Project for UML and Java as learning, Hanbit Media. Inc, pp. 84-112, 2009.

피인용 문헌

  1. Designing Mobile Application for Korean Traditional Markets Based on O2O Service Platform vol.19, pp.9, 2018, https://doi.org/10.9728/dcs.2018.19.9.1689