Browse > Article
http://dx.doi.org/10.7840/kics.2013.38C.4.335

Evaluation Methodology of Diagnostic Tool for Security Weakness of e-GOV Software  

Bang, Jiho (홍익대학교 컴퓨터공학과 실시간시스템 연구실)
Ha, Rhan (홍익대학교 컴퓨터공학과 실시간시스템 연구실)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.38C, no.4, 2013 , pp. 335-343 More about this Journal
Abstract
If the SW weaknesses, which are the main cause of cyber breaches, are analyzed and removed in the SW development stages, the cyber breaches can be prevented effectively. In case of Domestic, removing SW weaknesses by applying Secure SDLC(SW Development Life Cycle) has become mandatory. In order to analyze and remove the SW weaknesses effectively, reliable SW weakness diagnostic tools are required. Therefore, we propose the functional requirements of diagnostic tool which is suitable for the domestic environment and the evaluation methodology which can assure the reliability of the diagnostic tools. Then, to analyze the effectiveness of the proposed evaluation framework, both demonstration results and process are presented.
Keywords
Weakness; Weakness Diagnostic Tool; Vulnerability; Static Analysis; e-GOV SW;
Citations & Related Records
연도 인용수 순위
  • Reference
1 G. Tassey, "The economic impacts of inadequate infrastructure for software testing," NIST, May 2002.
2 Microsoft, Inc., SDL helps build more secure software, retrieved Apr., 12, 2013, from http://www.microsoft.com/security/sdl/learn/measurable.aspx
3 B. Chess and C. McGraw, "Static analysis for security," IEEE Security & Privacy, vol. 2, no. 6, pp. 76-79, Nov.-Dec. 2004
4 M. Johns and M. Jodeit, "Scanstud: a methodology for systematic, fine-grained evaluation of static analysis tools," in Proc. IEEE 4th ICSTW, pp. 523-530, Berlin, Germany, Mar. 2011
5 T. Hofer, "Evaluation static source code analysis tools," M.S. Thesis, School Compt. Commun. Sci., Ecole Polytechnique Federale de Lausanne, Mar. 2010
6 R. K. McLean, "Comparing static security analysis tools using open source software," IEEE 6th Int. Conf. SW Security Reliability Companion (SERE-C), pp. 68-74, Gaithersburg, U.S.A., June 2012.
7 NIST, "Source code security analysis tool test plan Version 1.1," NIST Special Publication 500-270, July 2011
8 MITRE, Comon Weakness Enumeration V2.4, Retrieved Feb., 21, 2013, from http://cwe.mitre.org.
9 MITRE, Common Vulnerabilities and Exposures, Retrieved June, 20, 2012, from http://cve.mitre.org.
10 OWASP, OWASP Top Ten 2013 rc1, Retrieved Feb. 2013, from http://www.owasp.org.
11 J. Bang, R. Ha, J. Park, and P. Kang, "Minimum standard of weakness in development of reliable e-GOV software," in Proc. KICS Int. Conf. Commun. (KICS ICC 2012), vol. 48, pp. 127-128, Jeju Island, Korea, June 2012
12 NIST, Juliet Test Suite, Retrived Apr., 13, 2013, from http://samate.nist.gov/SRD/testsuite.php
13 MOPAS, "A guide to secure software development," Publication No.11-1311000-00030-10, Retrieved May 2012, from http://www.mopas.go.kr
14 P. E. Black, M. Kass, M. Koo, and E. Fong, "Source code security analysis tool functional specification version 1.1," NIST Special Publication 500-268, Feb. 2011.
15 MOPAS, "Guidelines on building and operating Information Systems," MOPAS Notification No.2012-25, June 2012