Browse > Article
http://dx.doi.org/10.13089/JKIISC.2014.24.1.171

How to Combine Secure Software Development Lifecycle into Common Criteria  

Park, Jinseok (Center for Information Security Technologies(CIST), Korea University)
Kang, Heesoo (Center for Information Security Technologies(CIST), Korea University)
Kim, Seungjoo (Department of Cyber Defense/Center for Information Security Technologies(CIST), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.24, no.1, 2014 , pp. 171-182 More about this Journal
Abstract
Common Criteria is a scheme that minimize IT products's vulnerabilities in accordance with the evaluation assurance level. SSDLC(Secure Software Development Lifecycle) is a methodology that reduce the weakness that can be used to generate vulnerabilities of software development life cycle. However, Common Criteria does not consider certificated IT products's vulnerabilities after certificated it. So, it can make a problem the safety and reliability of IT products. In addition, the developer and the evaluator have the burden of duplicating evaluations of IT products that introduce into the government business due to satisfy both Common Criteria and SSDLC. Thus, we researched the relationship among the Common Criteria, the static code analysis tools, and the SSDLC. And then, we proposed how to combine SSDLC into Common Criteria.
Keywords
Common Criteria; Secure Software Development Lifecycle; weakness; vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Brian McGee et al, "Vulnerabilities in Enterprise Software," IBM X-Force 2012 Mid-year Trend and Risk Report, Sep. 2012, pp. 66-68.
2 Gregory Tassey, "The Economic Impact of Inadequate Infrastructure for Software Testing Planning Report," NIST, May 2002, pp. 169-170.
3 Paul Wood, "Closing The Window of Vulnerability: Exploits And Zero-Day Attacks," Internet Security Threat Report, vol. 17, Symantec, Apr. 2012.
4 Gerhard Eschelbeck, "Systems and Software Threats," Security Threat Report, Sophos, Jan. 2012. pp. 14-16.
5 Theresa Lanowitz, "Now Is the Time for Security at the Application Level," Gartner, Dec. 2005, pp. 2-8.
6 Joe Jarzombek, "Software Assurance: Enabling Security and Resilience throughout the Software Lifecycle," MITRE, Nov. 2012, pp. 3.
7 SwA, Capability Benchmarking, Softwar e & Supply Chain Assurance-Community Resources and Information Clearinghouse, Accessed Jan. 17, 2014, https://buildsecurityin.us-cert.gov/swa/forums-and-working-groups/processes-and-practices/swa-capability-benchmarking
8 Standard Life Cycle Processes View, Soft ware & Supply Chain Assurance-Commu nity Resources and Information Clearing house, Accessed Jan. 17, 2014, https://buildsecurityin.us-cert.gov/swa/process-view/overview
9 ISO std. 15408, Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 4, ISO, Sep. 2012.
10 CVE List, Common Vulnerabilities and Exposures (CVE), Accessed Jan. 17, 2014, http://cve.mitre.org/
11 Richard Struse, "Software Assurance-Making the Software Ecosystem Rugged," U.S Department Homeland Security National Protection &Programs Directorate, Oct. 2011.
12 Adam O'Brien, "Common Criteria and Source Code Analysis Tools: Competitors or Complement," International Common Criteria Conferences 9th. Conf., Seoul, Rep of Korea, Sep.23-25,2008.
13 Jeff Jones, "Measurable Improvements at Microsoft," Introduction to the Microsoft Security Development Lifecycle (SDL), Microsoft, Jan. 2008.
14 B. Chess and C. McGraw, "Static analysis for security," IEEE Security & Privacy, vol. 2, no. 6, pp. 76-79, Nov. 2004.
15 "Basics of Secure Design Development and Test: Secure Software Made Easier," Microsoft, 2008.
16 Ray Potter, "Setting Expectations Common Criteria and the SDLC," International Common Criteria Conferences 9th. Conf., Seoul, Rep of Korea, Sep.23-25,2008.
17 Mehmet Kara, "Review on Common Criteria as a Secure Software Development Model," International Journal of Computer Science & Information Technology (IJCSIT) vol. 4, No 2, April. 2012. pp. 83-94
18 Bob Martin et al, "2011 CWE/SANS Top 25 Most Dangerous Software Errors," Common Weakness Enumeration (CWE), Sep. 2011.
19 Assessment and Remediation Tool, Common Weakness Enumeration (CWE), Accessed Jan. 17, 2014, http://cwe.mitre.org/compatible/category.html