KIISE Transactions on Computing Practices (정보과학회 컴퓨팅의 실제 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

Open Source Software Security Issues and Applying a Secure Coding Scheme

오픈 소스의 소프트웨어 보안 문제 및 시큐어 코딩 적용방안

  • 김병국 (고려대학교 컴퓨터정보통신대학원 소프트웨어보안학과)
  • Received : 2017.03.02
  • Accepted : 2017.06.08
  • Published : 2017.08.15
⟨ Previous Next ⟩

Abstract

Open source software allows the users to freely use, copy, distribute and modify source code without any particular limitations, and this offers the advantages of low entry cost, fast and flexible development, compatibility, reliability and safety. The emergence of many useful open source projects has the advantage of achieving high levels of output with lower costs and time commitment for software development. However, this also increases the risks caused by the security vulnerabilities of the used open source software. There is still no separate process to verify security in using open source software. In this paper, we analyze the security weakness in open source and propose a secure coding scheme in adopting open source, which is known to be highly reliable from a security point of view.

오픈 소스는 소프트웨어 혹은 하드웨어의 저작권자가 소스코드를 공개하여 누구나 특별한 제한 없이 자유롭게 사용, 복제, 배포, 수정할 수 있는 소프트웨어로 낮은 진입비용과 빠르고 유연한 개발, 호환성 및 신뢰성과 안전성의 장점을 가지고 있다. 이러한 여러 유용한 오픈 소스의 등장은 소프트웨어 개발에 있어 적은 비용과 시간 투입으로도 높은 수준의 결과물을 얻을 수 있다는 장점도 있지만 반면에 오픈 소스의 보안약점을 이용한 피해 사례가 증가하는 등 보안 문제 또한 심각해지고 있으며 오픈 소스 도입에 있어 보안성을 검증하는 별도의 절차도 아직까지 미흡한 상황이다. 따라서 본 논문에서는 실제 신뢰성이 높다고 알려진 오픈 소스를 보안적 관점에서 바라보며 오픈 소스에 존재하는 보안약점을 분석하고, 이러한 보안약점을 제거하기 위한 수단으로 시큐어 코딩 적용 방안을 제안한다.

Keywords

References

  1. Synopsys. Coverity Releases Security Spotlight Report on Critical Security Defects in Open Source Projects [Online]. Available: http://www.coverity.com/press-releases/coverity-releases-security-potlight-report-on-critical-security-defects-in-open-source-projects/ (downloaded 2016. Sep. 22).
  2. Redhat. Red Hat Product Security Risk Report: 2015 [Online]. Available: https://access.redhat.com/blogs/766093/posts/2262281 (downloaded 2016. Sep. 25).
  3. SC Magazine. Open source products could greatly increase digital risks, report [Online]. Available: http://www.scmagazine.com/report-finds-companies-should-manage-application-risks-as-an-enterprise-risks/article/561981/ (downloaded 2016. Oct. 23).
  4. CWE. What is CWE? What is a "software weakness?" [Online]. Available: https://cwe.mitre.org/about/faq.html#A.1 (downloaded 2016. Oct. 23).
  5. CVE. What is a "vulnerability?" [Online]. Available: http://cve.mitre.org/about/faqs.html#a8 (downloaded 2016. Oct. 23).
  6. CWE. Common Weakness Scoring System [Online]. Available: http://cwe.mitre.org/cwss/cwss_v1.0.1.html (downloaded 2017. May. 2).
  7. CVE. Common Vulnerability Scoring System [Online]. Available: https://www.first.org/cvss (downloaded 2017. May. 2).
  8. Apple. Secure Coding Guide [Online]. Available: https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html (downloaded 2016. Oct. 11).
  9. CERT. The SEI CERT Coding Standard, 2016 Edition., Carnegie Mellon University, 2016.
  10. Ministry of the Interior. Secure Coding Guide, Ministry of the Interior, 2012.
  11. Facebook. Infer bug types [Online]. Available: http://fbinfer.com/docs/infer-bug-types.html (downloaded 2016. Oct. 11).
  12. H. J. Im, "Status and Issue in Using Open Source Software for Embedded Systems," Proc. Communications of the KIISE, Vol. 26, No. 7, pp. 67-74, 2008. (in Korean).
  13. Black Duck Software, Inc., Open Source Security Analysis., Black Duck Software, Inc., 2016.
  14. GitHub. FMDB [Online]. Available: https://github.com/arttrick/fmdb/ (downloaded 2017. Jun. 3).
  15. GitHub. RestKit [Online]. Available: https: //github.com/arttrick/RestKit/ (downloaded 2017. Jun. 3).
  16. GitHub. AFNetworking [Online]. Available: https://github.com/arttrick/AFNetworking (downloaded 2017. Jun. 4).
  17. GitHub. GPUImage [Online]. Available: https://github.com/arttrick/GPUImage (downloaded 2017. Jun. 4).