Browse > Article

Systematic and Comprehensive Comparisons of the MOIS Security Vulnerability Inspection Criteria and Open-Source Security Bug Detectors for Java Web Applications  

Lee, Jaehun (포항공과대학교 컴퓨터공학과)
Choe, Hansol (한동대학교 전산전자공학부)
Hong, Shin (한동대학교 전산전자공학부)
Publication Information
Journal of Software Engineering Society / v.28, no.1, 2019 , pp. 13-22 More about this Journal
Abstract
To enhance effective and efficient applications of automated security vulnerability checkers in highly competitive and fast-evolving IT industry, this paper studies a comprehensive set of security bug checkers in open-source static analysis frameworks and how they can be utilized for source code inspections according to the security vulnerability inspection guidelines by MOIS. This paper clarifies the relationship be tween all 42 inspection criteria in the MOIS guideline and total 323 security bug checkers in 4 popular open-source static analysis frameworks for Java web applications. Based on the result, this paper also discuss the current challenges and issues in the MOIS guideline, the comparison among the four security bug checker frameworks, and also the ideas to improve the security inspection methodologies using the MOIS guideline and open-source static security bug checkers.
Keywords
Security vulnerability; Secure coding; Static analyzer; Open- source software;
Citations & Related Records
연도 인용수 순위
  • Reference
1 US-CERT, OpenSSL 'Hea rtbleed' Vulnerability (CVE-2014-0160), https://www.us-cert.gov/ncas/alerts/TA14-098A
2 Ministry of the Interior and Safety, Guide of Validating Software Security Weakness for e-Government Software Validators, 2013
3 FindBugs, https://findbugs.sourceforge.net
4 PMD, https://pmd.github.io
5 Jiho Bang, Rhan Ha, Jung Whan Park, Pil Young Kang, Minimum Standard of Weakness in Development of Reliable e-GOV Software, Proceedings of Symposium of the Korean Institute of Communications and Information Sciences, 2012
6 Joonseon Ahn, Eunyoung Lee , Byeong-Mo Chang, A Study on Security Weakeness for Secure Software Development (SW 개발보안을 위한 보안약점 표준목록 연구), Journal of Korea Institute of Information Security and Cryptology
7 Jiho Bang, Trend in Open-source Security Vulnerability Detection Tools (공개용 소스코드 보안약점 분석도구 개발 동향), Internet and Security Focus, Korea Internet & Security Agency, May 2014
8 Ministry of the Interior and Safety, Manual on Validating Security Issues Using Open Source Tools for Software Developers and Validators (전자정부 SW 개발자, 진단원을 위한 공개SW를 활용한 소프트웨어 개발보안 진단가이드), 2016
9 Jiho Bang, Rhan Ha, Comparing Open Source Static Security Analysis Tools based on Software Weakness, Proceedings of Korea Computing Congress, June 2013
10 Joonseon Ahn, Ji-ho Bang, Eunyoung Lee, Quantitative Scoring Criteria on the Importance of Software Weaknesses, Journal of the Korea Institute of Information Security & Cryptology, 22(6), Dec. 2012
11 Jiho Bang, Rhan Ha, Evaluation Methology of Diagnostic Tool for Security Weakness of e-GOV Software, The Journal of the Korean Institute of Communication Sciences, 38(4), Apr. 2013
12 Yanghwan Park, Minkyung Kim, Policy of Secure Coding for Secure e-Government Software Development (전자정부 소프트웨어의 보안성 강화를 위한 개발보안 제도 연구), Review of KIISC, 26(1), Feb. 2016
13 LAPSE+, https://www.owasp.org/index.php/OWASP_LAPSE_PR OJECT
14 Kilho Lee, Information Security Enhancement Focusing On Secure Coding, Proceedings of the KIISE Winter Conference, Dec. 2016
15 Sukjin Kang, Jinyoung Choi, A Study on the Spread of Inspection Tools for the Secure Coding Culture, Proceedings of the KIISE Winter Conference, Dec. 2016
16 FindSecurityBugs,https://find-sec-bugs.gi thub.io
17 SonarQube, https://sonarqube.org
18 Jiho Bang, Rhan Ha, Validation Test Codes Development of Static Analysis Tool for Secure Software, Journal of the Korean Institute of Communic ation Sciences, 38(5), 2013