Journal of Software Engineering Society (소프트웨어공학소사이어티 논문지)

Software Engineering Society (한국정보과학회 소프트웨어공학 소사이어티)
권호 표지

Systematic and Comprehensive Comparisons of the MOIS Security Vulnerability Inspection Criteria and Open-Source Security Bug Detectors for Java Web Applications

행정안전부 소프트웨어 보안 취약점 진단기준과 Java 웹 어플리케이션 대상 오픈소스 보안 결함 검출기 검출대상의 총체적 비교

  • 이재훈 (포항공과대학교 컴퓨터공학과) ;
  • 최한솔 (한동대학교 전산전자공학부) ;
  • 홍신 (한동대학교 전산전자공학부)
  • Received : 2019.03.09
  • Accepted : 2019.05.08
  • Published : 2019.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

To enhance effective and efficient applications of automated security vulnerability checkers in highly competitive and fast-evolving IT industry, this paper studies a comprehensive set of security bug checkers in open-source static analysis frameworks and how they can be utilized for source code inspections according to the security vulnerability inspection guidelines by MOIS. This paper clarifies the relationship be tween all 42 inspection criteria in the MOIS guideline and total 323 security bug checkers in 4 popular open-source static analysis frameworks for Java web applications. Based on the result, this paper also discuss the current challenges and issues in the MOIS guideline, the comparison among the four security bug checker frameworks, and also the ideas to improve the security inspection methodologies using the MOIS guideline and open-source static security bug checkers.

경쟁적이며 급진적으로 오늘날 소프트웨어 개발 산업 현장에 시큐어 코딩 방법론을 효과적으로 적용하기 위해서는 보안 취약점 결함을 자동으로 검출하는 결함 검출기의 효과적이고 효율적인 적용이 필수적이다. 본 논문은 Java 웹 어플리케이션을 대상으로 하여 우리 행정안전부가 정의한 42개의 보안 취약점 진단 기준과 총 323개의 오픈소스 보안 취약점 결함 검출기의 검출 대상 결함 패턴을 비교하여, 동일한 결함 패턴을 대상으로 하는 것이 무엇인지를 명시화한 결과를 소개한다. 조사 결과를 바탕으로, 본 논문에서는 현재 행정안전부 보안 취약점 진단 기준 방법론의 한계점, 오픈소스 보안 결함 검출 프레임워크 간의 결함검출 범위의 비교, 그리고 시큐어 코딩 가이드라인에 기반 한 개발 보안 방법론의 발전 과제를 논의한다.

Keywords

References

  1. US-CERT, OpenSSL 'Hea rtbleed' Vulnerability (CVE-2014-0160), https://www.us-cert.gov/ncas/alerts/TA14-098A
  2. Ministry of the Interior and Safety, Guide of Validating Software Security Weakness for e-Government Software Validators, 2013
  3. FindBugs, https://findbugs.sourceforge.net
  4. PMD, https://pmd.github.io
  5. Jiho Bang, Rhan Ha, Jung Whan Park, Pil Young Kang, Minimum Standard of Weakness in Development of Reliable e-GOV Software, Proceedings of Symposium of the Korean Institute of Communications and Information Sciences, 2012
  6. Joonseon Ahn, Eunyoung Lee , Byeong-Mo Chang, A Study on Security Weakeness for Secure Software Development (SW 개발보안을 위한 보안약점 표준목록 연구), Journal of Korea Institute of Information Security and Cryptology
  7. Jiho Bang, Trend in Open-source Security Vulnerability Detection Tools (공개용 소스코드 보안약점 분석도구 개발 동향), Internet and Security Focus, Korea Internet & Security Agency, May 2014
  8. Ministry of the Interior and Safety, Manual on Validating Security Issues Using Open Source Tools for Software Developers and Validators (전자정부 SW 개발자, 진단원을 위한 공개SW를 활용한 소프트웨어 개발보안 진단가이드), 2016
  9. Jiho Bang, Rhan Ha, Validation Test Codes Development of Static Analysis Tool for Secure Software, Journal of the Korean Institute of Communic ation Sciences, 38(5), 2013
  10. Jiho Bang, Rhan Ha, Comparing Open Source Static Security Analysis Tools based on Software Weakness, Proceedings of Korea Computing Congress, June 2013
  11. Joonseon Ahn, Ji-ho Bang, Eunyoung Lee, Quantitative Scoring Criteria on the Importance of Software Weaknesses, Journal of the Korea Institute of Information Security & Cryptology, 22(6), Dec. 2012
  12. Jiho Bang, Rhan Ha, Evaluation Methology of Diagnostic Tool for Security Weakness of e-GOV Software, The Journal of the Korean Institute of Communication Sciences, 38(4), Apr. 2013
  13. Yanghwan Park, Minkyung Kim, Policy of Secure Coding for Secure e-Government Software Development (전자정부 소프트웨어의 보안성 강화를 위한 개발보안 제도 연구), Review of KIISC, 26(1), Feb. 2016
  14. Kilho Lee, Information Security Enhancement Focusing On Secure Coding, Proceedings of the KIISE Winter Conference, Dec. 2016
  15. Sukjin Kang, Jinyoung Choi, A Study on the Spread of Inspection Tools for the Secure Coding Culture, Proceedings of the KIISE Winter Conference, Dec. 2016
  16. FindSecurityBugs,https://find-sec-bugs.gi thub.io
  17. LAPSE+, https://www.owasp.org/index.php/OWASP_LAPSE_PR OJECT
  18. SonarQube, https://sonarqube.org