Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

Framework of Security Development Method based on Component

컴포넌트기반 보안개발방법의 프레임워크

  • Hong, Jin-Keun (Division of Information Communication, Baekseok University)
  • 홍진근 (백석대학교 정보통신학부)
  • Received : 2009.12.12
  • Accepted : 2010.03.18
  • Published : 2010.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

This paper is about a development framework, which is required to develop of security system is based on component. With applying of SDLC(system development life cycle) of information system, the application of information security products DLC is required at this point of time. In this paper, we review NIST requirement specification of development method, requirement criteria of SDLC in each stage, and major security guidelines of risk assessment. Also we are reviewed major security element of SDLC, and to aid understanding of security framework based on component, present the relationship fo security design and DFD in respect of spoofing for the outside entity based on threat tree STRIDE.

본 논문은 컴포넌트 기반의 보안 시스템 개발을 위해 요구되는 개발 프레임워크에 관한 것이다. 정보시스템의 개발방법론 적용과 함께, 정보보호 제품의 개발방법론 적용이 현시점에 요구되고 있다. 본 논문에서는 개발방법의 NIST 요구규격, SDLC 단계별 요구기준, 위험평가 주요 보안 가이드 라인을 살펴보았다. 또한 SDLC 주요 보안 요소를 살펴보았고, 컴포넌트 기반 보안 프레임워크 수립에 대한 이해를 돕기 위해, 위협트리 STRIDE 기반의 외부 엔티티에 대한 스푸핑 측면에서 보안설계와 DFD 관계를 분석 제시하였다.

Keywords

References

  1. Yourdon, Ed. Just Enough Structured Analysis project. Chapter9, "Data Flow Diagrams, "http://www.yourdon.com/strucanalysis/chapters /ch9.html.
  2. Open Source Vulnerability Database. Symlink Vulnerabilites, http://www. osvdb.org/searchdb.php?vuln_title = symlink, last updated January 31, 2006.
  3. Miller, Barton P., "Fuzz Testing of Application Reliability," http://www .cs.wisc.edu/-bart/fuzz/fuzz.html, Dec. 2005.
  4. KeyLength.com, "Cryptographic Key Length Recommendation," http:// www.keylength.com.
  5. Curphey, Araujo, "Web Application Security Assessment Tools", IEEE Security and Privacy archive, Volume 4 , Issue 4, July 2006.
  6. G. McGraw, B. Potter, "Software Security Testing", IEEE Security & Privacy, May 2004.
  7. NIST, "Security Considerations in the Information SDLC", SP 800-64 Rev. 1, 2004.
  8. Swiderski, Frank, and Window Snyder, Threat Modeling, Redmond, WA: Microsoft Pess, 2004.