Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.5.1179

An Improvement of the Guideline of Secure Software Development for Korea E-Government  

Han, Kyung Sook (Korea Polytechnic University)
Kim, Taehwan (Hongik University)
Han, Ki Young (Hongik University)
Lim, Jae Myung (Korea Internet & Security Agency)
Pyo, Changwoo (Hongik University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.5, 2012 , pp. 1179-1189 More about this Journal
Abstract
We propose an improvement on the Guideline of Secure Software Development for Korea e-Government that is under revision by the Ministry of Public Administration and Security in 2012. We adopted a rule-oriented organization instead shifting from the current weakness-oriented one. The correspondence between the weakness and coding rules is identified. Also, added is the coverage of diagnostic tools over the rules to facilitate the usage by programmers during coding period When the proposed guideline is applied to secure software development, the weakness would be controlled indirectly by enforcing coding rules. Programmers responsibility would be limited to the compliance of the rules, while the current version implies that it is programmers responsibility to guarantee being free from the weakness, which is hard to achieve at reasonable cost.
Keywords
weakness; secure coding; coding rule; coding guide;
Citations & Related Records
연도 인용수 순위
  • Reference
1 행정안전부, 전자정부 소프트웨어 개발.운영자를 위한 소프트웨어 개발보안 가이드, 행정안전부, 2012. 5
2 행정안전부, 정보시스템 구축 운영 지침(행정안전부고시 제2011-36호), 행정안전부, 2012. 9
3 Nuno Antunes, Marco Vieira. "Defending against Web Application Vulnerabilities," IEEE Computer, 45(2), pp. 66-72, 2012.
4 "Common Weakness Enumeration," http://cwe.mitre.org/
5 "CERT," http://www.cert.org/
6 Robert C. Seacord. Secure Coding in C and C++, Addison-Wesley, 2005
7 Robert C. Seacord. The CERT C Secure Coding Standard, Addison-Wesley, 2008
8 Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean Sutherland, and David Svoboda. The CERT Oracle Secure Coding Standard for Java, Addison- Wesley, 2012
9 I.A. Elia, J. Fonseca, and M. Vieira, "Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study," Proc. 21st IEEE Int'l Symp. Software Reliability Eng. (ISSRE 10), pp. 289-298, 2010.
10 "Coverity Prevent," http://www.coverity.com/
11 "HP Fortify Static Code Analyzer," http://www.hpenterprisesecurity.com/ products/hp-fortify-software-securitycenter/hp-fortify-static-code-analyzer/
12 "Klockwork," http://www.klockwork.com/
13 "LDRA Software Technology," http://www.ldra.com/
14 "ROSE compiler infrastructure," http://rosecompiler.org/
15 "Splint-Secure Programming Lint," http://www.splint.org/
16 "CppCheck," http://cppcheck.sourceforge.net/
17 "PMD," http://pmd.sourceforge,net/
18 "Findbugs," http://findbugs.sourceforge,net/
19 Nathaniel Ayewah and William Pugh. "A report on a survey and study of static analysis users," In Proceedings of the 2008 workshop on Defects in large software systems (DEFECTS '08), pp. 1-5, 2008.