Browse > Article
http://dx.doi.org/10.3745/KTSDE.2016.5.3.139

Cost Based Vulnerability Control Method Using Static Analysis Tool  

Lee, Ki Hyun (단국대학교 컴퓨터학과 소프트웨어보안)
Kim, Seok Mo (단국대학교 컴퓨터학과 소프트웨어보안)
Park, Young B. (단국대학교 전자계산학과)
Park, Je Ho (단국대학교 전자계산학과)
Publication Information
KIPS Transactions on Software and Data Engineering / v.5, no.3, 2016 , pp. 139-144 More about this Journal
Abstract
When, Software is developed, Applying development methods considering security, it is generated the problem of additional cost. These additional costs are caused not consider security in many developing organization. Even though, proceeding the developments, considering security, lack of ways to get the cost of handling the vulnerability throughput within the given cost. In this paper, propose a method for calculating the vulnerability throughput for using a security vulnerability processed cost-effectively. In the proposed method focuses on the implementation phase of the software development phase, leveraging static analysis tools to find security vulnerabilities in CWE TOP25. The found vulnerabilities are define risk, transaction costs, risk costs and defines the processing priority. utilizing the information in the CWE, Calculating a consumed cost in a detected vulnerability processed through a defined priority, and controls the vulnerability throughput in the input cost. When applying the method, it is expected to handle the maximum risk of vulnerability in the input cost.
Keywords
Vulnerability Treatment; Cost Based; Static Analysis;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Gartner, Now is the time for security at Application Level [Internet], https://www.sela.co.il/_Uploads/dbsAttachedFiles/GartnerNowIsTheTimeForSecurity.pdf.
2 Department of Homeland Security, Practical Measurement Framework for Software Assurance and Information Security [Internet], http://buildsecurityin.us-cert.gov/.
3 NIST, The Economic Impacts of Inadequate Infrastructure for Software Testing, 2002.
4 M. G. Choi and M. J. Jeon, "Analysis of Methodologies for Security Development Lifecycle for Security Enhancement System," KIMS Spring Symposium, 2010, pp.418-425. 2010.
5 Microsoft, Introduction to the Microsoft Security Development Life cycle [Internet], http://www.microsoft.com/security/sdl.
6 NIPA Software Engineering Center, Software Engineering Withe Book, ch.3, pp.176-183, 2013.
7 Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities," in Security and Privacy, 2006 IEEE Symposium on, pp.258-263. IEEE, 2006.
8 Sung min Ahn, Min Sik Jin, and Kyu Jin Cho, "Detecting Software security vulnerability with of Software Security Vulnerabilities," Communication of the Korean Institute of Information Scientists and Engineer, Vol.28, No.2, pp.32-36, 2010.
9 Mitre, CWE./SANS Top 25 [Internet], http://cwe.mitre.org/top25/.
10 Mitre, CWSS [Internet], http://cwe.mitre.org/cwss/cwss_v1.0.1.html.
11 Leung, Hareton and Zhang Fan, "Software cost estimation," Handbook of Software Engineering, Hong Kong Polytechnic University, 2002.
12 S. K. Choi and E. H. Choi, "Study on validating proper System Requirements by using Cost Estimations Methodology," KCSA Transactions on Convergence Security, Vol.13, No.5, pp.97-105, 2013.
13 HP fortify [Internet], http://www8.hp.com/h20195/v2/GetPDF.aspx/4AA5-7039ENW.pdf.
14 Sung hae Kim, Jin ho Joo, Gunsoo Lee, and Gi hwon Kown, "Implementation of Code Vulnerabilities Checker for Secure Software," in Proceedings of the Korean Society For Internet Information, Vol.2010, No.6, pp,605-608, 2010.