Browse > Article
http://dx.doi.org/10.13089/JKIISC.2010.20.6.147

A Study on the Design of Security Metrics for Source Code  

Seo, Dong-Su (Sungshin Women's University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.20, no.6, 2010 , pp. 147-155 More about this Journal
Abstract
It has been widely addressed that static analysis techniques can play important role in identifying potential security vulnerability reside in source code. This paper proposes the design and application of security metrics that use both vulnerability information extracted from the static analysis, and significant factors of information that software handles. The security metrics are useful for both developers and evaluators in that the metrics help them identity source code vulnerability in early stage of development. By effectively utilizing the security metrics, evaluators can check the level of source code security, and confirm the final code depending on the characteristics of the source code and the security level of information required.
Keywords
security metrics; static analysis; security vulnerability; source code vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Common Criteria, version 3.1, Part 3, http://commoncriteriaportal.org, 2006.
2 National Vulnerability Database Version 2.2, http://nvd.nist.gov/
3 Common Vulnerability Score System version 2.0, http://nvd.nist.gov/ cvss.cfm, 2007.
4 Common Vulnerability and Exposures, http://cve.mitre.org/index.html.
5 R. Seacord, The CERT C Secure Coding Standard, Addison Wesley, pp. 25-27, Oct. 2008.
6 DACS, Enhancing the Development Life Cycle to Produce Secure Software, pp. 149-177, http://www.thedacs.com, Oct. 2008.
7 통합인증프레임워크 가이드, 행정안전부, p. 24, 2009년 8월.
8 국가 사이버안전매뉴얼, 5장 보안관리수준 평가, 국가정보원 pp.97-99, 2005년 10월.
9 The Department of Homeland Security, Practical Measurement Framework for Software Assurance and Information Security, http:// buildsecurityin.us-cert.gov/, Oct, 2008.
10 G. McGraw, Software Security: Building Security In, Addison Wesley, pp. 83-86, Feb. 2006.
11 J. West, Secure Programming with Static Analysis, Addison-Wesley, pp. 11-13, Jun. 2007.
12 L. Laird and M Brennan, Software Measurement and Estimation: A Practical Approach, Wiley Inter-Science, pp. 58-67, Jun. 2006.