• Title/Summary/Keyword: Secure Coding

Search Result 92, Processing Time 0.035 seconds

Evaluation Method Using Analytic Hierarchy Process for C4I SW Secure Coding Rule Selection (계층분석기법을 활용한 전장관리정보체계 소프트웨어 시큐어 코딩룰 선정 평가 방안)

  • Choi, June-Sung;Kim, Woo-Je;Park, Won-Hyung;Kook, Kwang-Ho
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.38C no.8
    • /
    • pp.651-662
    • /
    • 2013
  • In this study, we suggest the selecting evaluation method considering 6 major factors like Compliance system application (Development language conformance, Platform Compliance), threat evaluation (criticality of security incident, possibility of security incident), application benefit (Reliability / quality improvement, Modify Cost) for appropriate secure coding rule selecting evaluation. Using this method, we selected and make a set consist of 197 secure coding rules for Battlefield Management System Software. And calculated the application priority for each rules.

A Design and Development of Secure-Coding Check System Based on E-Government Standard Framework for Convergence E-Government Service (융복합 전자정부 서비스를 위한 전자정부 표준프레임워크 기반 시큐어코딩 점검 시스템 설계 및 개발)

  • Kim, Hyungjoo;Kang, Jungho;Kim, Kyounghun;Lee, Jaeseung;Jun, Moonseog
    • Journal of Digital Convergence
    • /
    • v.13 no.3
    • /
    • pp.201-208
    • /
    • 2015
  • Recently computer, smart phone, medical devices, etc has become used in a variety of environments as the application fields of IT products have become diversification. Attack case of abuse of software security vulnerabilities is on the increase as the application fields of software have become diversification. Accordingly, secure coding program is of a varied but history management, updating, API module to be vulnerable to attack. Thus, this paper proposed a materialization of CMS linked system to enable check the vulnerability of the source code to content unit for secure software development, configuration management system that interwork on the transmission module. Implemented an efficient coding system secure way that departmentalized by the function of the program and by analyzing and applying secure coding standards.

Secure Coding guide support tools design for SW individual developers (SW 개인 개발자를 위한 Secure_Coding 가이드 지원 도구 설계)

  • Son, Seung-wan;Kim, Kwang-seok;Choi, Jeong-won;Lee, Gang-soo
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2014.05a
    • /
    • pp.595-598
    • /
    • 2014
  • The cyber attacks of recent attacks that target zero-day exploit security vulnerabilities before the security patch is released (Zero Day) attack, the web site is without the Lord. These attacks, those that use the vulnerability of security that is built into the software itself is in most cases, cyber attacks that use the vulnerability of the security of the source code, in particular, has a characteristic response that are difficult to security equipment. Therefore, it is necessary to eliminate the security vulnerability from step to implement the software to prevent these attacks. In this paper, we try to design a Secure Coding Guide support tool to eliminate the threat of security from the stage of implementation.

  • PDF

A Study of Web Application Security Quality Architecture Management Process referenced ISO/IEC9000 Model (ISO/IEC9000모델을 참조한 웹 애플리케이션 보안품질 관리체계 설계)

  • Kim, Jeom-Goo;Noh, Si-Choon;Lee, Do-Hyeon
    • Convergence Security Journal
    • /
    • v.12 no.3
    • /
    • pp.11-17
    • /
    • 2012
  • According to ISO/IEC 9000, quality to satisfy users' requirements when using the product or service is defined as the characteristics of the synthesized concept. Secure web application coding information systems with the reliability and quality of service is one of the determining factor. Secure coding in order to achieve the quality based on the model is necessary. The reason is that the security is in quality properties in the range of non-functional requirements that necessitates. Secure coding for the design of quality systems based on the quality of the definition of quality attributes, quality requirements, quality attribute scenarios are defined, and must be set. To this end, referring to IEEE 1061 quality model for web application, quality model structure is developed. Secure web application architecture design is composed of coding quality of the model systems, web applications draw interest to stakeholders, decision drivers secure coding architecture, quality attributes, eliciting quality requirements of the security settings, creating web application architecture descriptions and security framework.

Nuclear-related Software analysis based on secure coding (시큐어 코딩 중심으로 본 원자력 관련 소프트웨어)

  • Jung, Da-Hye;Choi, Jin-Young;Lee, Song-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.23 no.2
    • /
    • pp.243-250
    • /
    • 2013
  • We have entered into an era of smart software system where the many kinds of embedded software, especially SCADA and Automotive software not only require high reliability and safety but also high-security. Removing software weakness during the software development lifecycle is very important because hackers exploit weaknesses which are source of software vulnerabilities when attacking a system. Therefore the coding rule as like core functions of MISRA-C should expand their coding focus on security. In this paper, we used CERT-C secure coding rules for nuclear-related software being developed to demonstrate high-safety software, and proposed how to remove software weakness during development.

An Improvement of the Guideline of Secure Software Development for Korea E-Government (대한민국 전자정부 소프트웨어 개발보안 가이드 개선 방안 연구)

  • Han, Kyung Sook;Kim, Taehwan;Han, Ki Young;Lim, Jae Myung;Pyo, Changwoo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.5
    • /
    • pp.1179-1189
    • /
    • 2012
  • We propose an improvement on the Guideline of Secure Software Development for Korea e-Government that is under revision by the Ministry of Public Administration and Security in 2012. We adopted a rule-oriented organization instead shifting from the current weakness-oriented one. The correspondence between the weakness and coding rules is identified. Also, added is the coverage of diagnostic tools over the rules to facilitate the usage by programmers during coding period When the proposed guideline is applied to secure software development, the weakness would be controlled indirectly by enforcing coding rules. Programmers responsibility would be limited to the compliance of the rules, while the current version implies that it is programmers responsibility to guarantee being free from the weakness, which is hard to achieve at reasonable cost.

Definition of Security Metrics for Software Security-enhanced Development (소프트웨어 개발보안 활동을 위한 보안메트릭 정의)

  • Seo, Dongsu
    • Journal of Internet Computing and Services
    • /
    • v.17 no.4
    • /
    • pp.79-86
    • /
    • 2016
  • Under the influence of software security-enhanced development guidelines announced in 2012, secure coding practices become widely applicable in developing information systems aiming to enhance security capabilities. Although continuous enhancement activities for code security is important, management issues for code security have been less addressed in the guidelines. This paper analyses limitation of secure coding practices from the viewpoint of quality management. In particular this paper suggests structures and the use of software metrics from coding to maintenance phases so that it can be of help in the future by extending the use of security metrics.

Vulnerability Analysis and Development of Secure Coding Rules for PHP (PHP 보안 취약점 분석과 시큐어 코딩 규칙 개발)

  • Han, KyungSook;Park, Wooyeol;Yang, Ilgwon;Son, Changhwan;Pyo, Changwoo
    • KIISE Transactions on Computing Practices
    • /
    • v.21 no.11
    • /
    • pp.721-726
    • /
    • 2015
  • This paper shows secure coding rules for PHP programs. Programmers should comply with these rules during development of their programs. The rules are crafted to restrain 28 weaknesses that are composed of 22 corresponding to reported CVEs of PHP, the children of CWE-661 for PHP, and the top 5 weaknesses according to OWASP. The rule set consists of 28 detailed rules under 14 categories. This paper also demonstrates through examples that programs complying with these rules can curb weaknesses. The rules can also serve as a guideline in developing analysis tools for security purposes.

Research on Secure Coding and Weakness for Implementation of Android-based Dynamic Class Loading (안드로이드 동적 클래스 로딩 기법을 이용한 개발단계에서의 보안약점 및 시큐어 코딩 연구)

  • Kim, Hyunjo;Choi, Jin-Young
    • Journal of Korea Multimedia Society
    • /
    • v.19 no.10
    • /
    • pp.1792-1807
    • /
    • 2016
  • Android application is vulnerable to reverse engineering attack. And by this, it is easy to extract significant module from source code and repackage it. To prevent this problem, dynamic class loading technique, which is able to exclude running code from distributed source code and is able to load running code dynamically during runtime can be used. Recently, this technique was adapted on variety of fields and applications like updating pre-loaded android application, preventing from repacking malicious application, etc. Despite the fact that this technique is used on variety of fields and applications, there is fundamental lack on the study of potential weakness or related secure coding. This paper would deal with potential weaknesses during the implementation of dynamic class loading technique with analysing related international/domestic standard of weaknesses and suggest a secure way for the implementation of dynamic class loading technique. Finally, we believe that this technique described here could increase the level of trust by decreasing the weakness related to dynamic class loading technique.

A Design of Inter-Working System between Secure Coding Tools and Web Shell Detection Tools for Secure Web Server Environments (안전한 웹 서버 환경을 위한 시큐어코딩 도구, 웹쉘 탐지도구 간의 상호연동 시스템 설계)

  • Kim, Bumryong;Choi, Keunchang;Kim, Joonho;Suk, Sangkee
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.11 no.4
    • /
    • pp.81-87
    • /
    • 2015
  • Recently, with the development of the ICT environment, the use of the software is growing rapidly. And the number of the web server software used with a variety of users is also growing. However, There are also various damage cases increased due to a software security vulnerability as software usage is increasing. Especially web shell hacking which abuses software vulnerabilities accounts for a very high percentage. These web server environment damage can induce primary damage such like homepage modification for malware spreading and secondary damage such like privacy. Source code weaknesses checking system is needed during software development stage and operation stage in real-time to prevent software vulnerabilities. Also the system which can detect and determine web shell from checked code in real time is needed. Therefore, in this paper, we propose the system improving security for web server by detecting web shell attacks which are invisible to existing detection method such as Firewall, IDS/IPS, Web Firewall, Anti-Virus, etc. while satisfying existing secure coding guidelines from development stage to operation stage.