Software Vulnerability, Assurance, and Security Testing

소프트웨어 취약점, 보증 및 보안 테스팅

  • Published : 2012.02.20

Abstract

Keywords

Acknowledgement

Grant : 소프트웨어 보증을 위한 정적/동적 분석 기술과 역공학 방지 기법의 융합에 관한 연구

Supported by : 한국연구재단

References

  1. Gary McGraw, "Software Security", IEEE Security & Privacy, pp. 80-83, March/April 2004.
  2. Gary McGraw, "Software Security, Building Security In", Addison-Wesley, 2006
  3. US Homeland Security, Software Assurance Home page-Community Resources and Information Clearinghouse, https://buildsecurityin.us-cert.gov/swa/
  4. 정보통신산업진흥원(NIPA), 2010년 소프트웨어 산업백서
  5. F. Piessens, "A Taxonomy of Causes of Software Vulnerabilities in Internet Software", Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering, pages 47-52, November 2002, 또는 Extended version(with Examples):Technical Report(CW Reports), volume CW346, 11pages, Department of Computer Science, Belgium, August 2002
  6. C. V. Berghe, J. Riordan, F. Piessens, "A Vulnerability Taxonomy Methodology applied to Web Services", Proceedings of the 10th Nordic Workshop on Secure IT Systems(NordSec 2005), pages 49-62, October 2005
  7. Robert F. Dacey, "Information Security: Effective Patch Management is Critical to Mitigating Software Vulnerabilities", Information Security Issues, U.S. General Accounting Office(GAO), September 2003. http://www.gao.gov/new.items/d031138t.pdf
  8. 단국대 컴퓨터보안연구실, "소프트웨어 보안 취약점분류 방법 및 검출 방법에 관한 연구 국가보안기술연구소 위탁과제 연구결과 보고서, 2006년 10월
  9. 단국대 컴퓨터보안연구실, "소프트웨어의 보안취약성 분석 절차에 대한 방법 연구", 한국정보보호진흥원 위탁과제 연구결과보고서, 2003년 12월
  10. Microsoft SDL home page, www.microsoft.com/security/sdl/
  11. US Computer Emergency Readiness Team (US-CERT), Software Assurance, http://www.us-cert.gov/swa/
  12. US Homeland Security, "Risk-Based Software Security Testing", Software Assurance Pocket Guide Series: Development Volume III Version 0.5, Sep. 2009. https://buildsecurityin.us-cert.gov/swa/downloads/TestingMWV0502AM091013.pdf
  13. B. Potter and G. McGraw, "Software Security Testing", IEEE Security & Privacy, pp. 32-36, Sep./Oct. 2004.
  14. CVE(Common Vulnerabilities and Exposures) home page: http://cve.mitre.org, and S. Christey, CVE and CVSS, Sep. 2010. available at: scap.nist.gov/events/2010/itsac/presentations/day1/SCAP_101-CVE_and_CVSS.pdf
  15. CWE(Common Weakness Enumeration) home page:http://cwe.mitre.org and Top 25 Most Dangerous Software Error http://cwe.mitre.org/top25
  16. Common Vulnerability Scoring System(CVSS-SIG) home page: http://www.first.org/cvss and S. Christey, Common Weakness scoring System(CWSS), Feb. 2011 (https://buildsecurityin.us-cert.gov/swa/presentations_032011/SteveChristey-CWSS.pdf)
  17. NIST-SRD(SAMATE Reference Dataset) Project, ''http://samate.nist.gov/SRD/"
  18. "Real World Fuzzing", Charlie Miller Independent Security Evaluators, October 20, 2007
  19. "Fuzzing-Brute Force Vulnerability Discovery", Michael Sutton, 2007
  20. IATAC and DACS, "Software Security Assurance", State-of-the-Art Report(SOAR), Chap. 2, July 2007