Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Definition of Security Metrics for Software Security-enhanced Development

소프트웨어 개발보안 활동을 위한 보안메트릭 정의

  • Seo, Dongsu (School of IT, Sungshin Women's University)
  • Received : 2016.07.01
  • Accepted : 2016.07.28
  • Published : 2016.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Under the influence of software security-enhanced development guidelines announced in 2012, secure coding practices become widely applicable in developing information systems aiming to enhance security capabilities. Although continuous enhancement activities for code security is important, management issues for code security have been less addressed in the guidelines. This paper analyses limitation of secure coding practices from the viewpoint of quality management. In particular this paper suggests structures and the use of software metrics from coding to maintenance phases so that it can be of help in the future by extending the use of security metrics.

2012년 시행된 소프트웨어 개발보안 제도에 힘입어 시큐어코딩은 개발자들에게 정보시스템 구축시 보안성을 향상시킬 수 있는 기법으로 인식되고 있다. 제도의 확산에도 불구하고 지속적인 보안성 향상에 대한 관리는 개발보안 제도에서 간과된 부분이기도 하다. 본 논문은 품질관리 시각에서 보안성과 관련한 시큐어코딩의 특징을 조명한다. 또한, 보안 메트릭의 제시를 통해 구현과 유지 보수 활동을 자연스럽게 연계시키는 방법과 보안 메트릭을 활용하는 방법을 제안함으로써 소스코드의 관리에 도움을 주고자 한다.

Keywords

References

  1. IBM X-Force Threat Intelligence Quaterly, 1Q 2015
  2. Software security-enhanced development guides version 2, Ministry of the Interior 2013.11, http://www.moi.go.kr/frt/bbs/type001/commonSelectBoardArticle.do?bbsId=BBSMSTR_000000000012&nttId=42149
  3. BSIMM 6, http://www.BSIMM.com, 2015
  4. Open SAMM, http://www.opensamm.org
  5. Microsoft SDL, https://www.microsoft.com/en-us/sdl/
  6. R. Seacord, The CERT C Secure Coding Standard, Addison Wesley, 2008.
  7. MISRA-C:2012 http://www.misra.org.uk
  8. Software security-enhanced development guides using open source software, Ministry of the Interior, 2016. 2 http://www.moi.go.kr/frt/bbs/type001/commonSelectBoardArticle.do?bbsId=BBSMSTR_000000000012&nttId=48386
  9. Development and operation guide for public and administrative information systems, Ministry of the Interior 2013.11 2013. 8
  10. D. Seo, S, Kim et al, Study on application of Software security-enhanced development, KISA, 2014
  11. L. Laird, M Brennan, Software Measurement and Estimation: A Practical Approach, Wiley Inter-Science, 2006
  12. Common Criteria, http://commoncriteriaportal.org, 2006.
  13. National Vulnerability Database Version 2.2, http://nvd.nist.gov/
  14. Common Vulnerability Scoring System version 3, http://nvd.nist.gov/cvss.cfm, 2016
  15. OWASP Top 10 https://www.owasp.org/index.php
  16. Common Weakness Enumeration https://cwe.mitre.org/
  17. Guidelines for certification of G-ISMS, Ministry of the Interior, 2010. 6. http://www.law.go.kr/LSW/admRulInfoP.do?admRulSeq=2000000014026