• Proceedings of the Korean Information Science Society Conference
• /
• 2002.10c
• /
• pp.655-657
• /
• 2002

인터넷에 정보화가 급속도로 진전되고 정보에 대한 의존도가 확산됨에 따라 정보시설에 대한 침입피해 사례가 급증하고 있다 일어나는 해킹 사고의 대부분은 취약점 분석 도구를 이용하여 공격하고자하는 시스템의 취약점 정보를 수집한 다음 이를 바탕으로 시스템에 대해 공격을 시도하고 있다. 하지만, 네트워크 시스템 관리자들은 시스템 취약점에 대한 정보 및 기술 부족으로 시스템에 대한 관리가 무방비 상태로 이루어지고 있는 실정이다. 본 논문에서는 보안에 미숙한 관리자도 공격 대상이 되는 시스템의 취약점을 쉽게 발견하고 이를 바탕으로 공격대상이 되는 호스트를 미리 방지할 수 있고 또한 분산 네트워크 환경에서도 관리할 수 있는 취약점 관리 시스템을 설계 및 구현하였다.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2018.01a
• /
• pp.85-86
• /
• 2018

본 논문에서는 사이버공격의 주요 대상인 웹 애플리케이션의 보안을 위하여 취약점진단 및 제거, 이행점검의 웹 통합보안관리 플랫폼을 제안한다. 이 플랫폼은 동적진단엔진, 취약점제거보안모듈, UI를 제공하는 통합관리시스템, 진단 결과를 저장하는 결과 및 통계 DB, 와 진단을 위한 관련 정보를 저장하는 진단 및 보안정보 DB로 구성되며, 동적진단결과에 대한 상관관계분석 기능과 취약점 개선 활동 시 스마트 보안모듈을 통해 빠르고 손쉬운 취약점 제거수정, 완화할 수 있는 통합플랫폼 연구를 통하여 웹 애플리케이션보안을 효율적으로 할 수 있다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2014.05a
• /
• pp.595-598
• /
• 2014

The cyber attacks of recent attacks that target zero-day exploit security vulnerabilities before the security patch is released (Zero Day) attack, the web site is without the Lord. These attacks, those that use the vulnerability of security that is built into the software itself is in most cases, cyber attacks that use the vulnerability of the security of the source code, in particular, has a characteristic response that are difficult to security equipment. Therefore, it is necessary to eliminate the security vulnerability from step to implement the software to prevent these attacks. In this paper, we try to design a Secure Coding Guide support tool to eliminate the threat of security from the stage of implementation.

• Journal of Software Engineering Society
• /
• v.28 no.1
• /
• pp.13-22
• /
• 2019

To enhance effective and efficient applications of automated security vulnerability checkers in highly competitive and fast-evolving IT industry, this paper studies a comprehensive set of security bug checkers in open-source static analysis frameworks and how they can be utilized for source code inspections according to the security vulnerability inspection guidelines by MOIS. This paper clarifies the relationship be tween all 42 inspection criteria in the MOIS guideline and total 323 security bug checkers in 4 popular open-source static analysis frameworks for Java web applications. Based on the result, this paper also discuss the current challenges and issues in the MOIS guideline, the comparison among the four security bug checker frameworks, and also the ideas to improve the security inspection methodologies using the MOIS guideline and open-source static security bug checkers.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.171-182
• /
• 2014

Common Criteria is a scheme that minimize IT products's vulnerabilities in accordance with the evaluation assurance level. SSDLC(Secure Software Development Lifecycle) is a methodology that reduce the weakness that can be used to generate vulnerabilities of software development life cycle. However, Common Criteria does not consider certificated IT products's vulnerabilities after certificated it. So, it can make a problem the safety and reliability of IT products. In addition, the developer and the evaluator have the burden of duplicating evaluations of IT products that introduce into the government business due to satisfy both Common Criteria and SSDLC. Thus, we researched the relationship among the Common Criteria, the static code analysis tools, and the SSDLC. And then, we proposed how to combine SSDLC into Common Criteria.

• Digital Contents
• /
• no.11 s.78
• /
• pp.17-21
• /
• 1999

인터넷의 개방성으로 인하여 발생되는 전자상거래의 취약점을 최소화하기 위하여 우리는 보안 기술을 사용하게 된다. 그러나 보안 기술을 사용함으로 인하여 서비스 속도가 느려지거나 사용자에게 불편을 주지 않아야 한다. 현재 가장 이슈가 되고 있는 인터넷 쇼핑몰의 실례를 보면서 보안 적용 방안을 제시하고자 한다.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.12 no.5
• /
• pp.725-730
• /
• 2017

The use of general IT resources in the Instrumentation and Control system(I&C) for the safety of Nuclear Power Plants(NPPs) is increasing. As a result, potential security vulnerabilities of existing IT resources may cause cyber attack to NPPs, which may cause serious consequences not only to shutdown of NPPs but also to national disasters. In order to respond to this, domestic nuclear regulatory agencies are developing guidelines for regulating nuclear cyber security regulations and expanding the range of regulatory targets. However, it is necessary to take measures to cope with not only general security problems of NPPs but also attacks specific to NPPs. In this paper, we select 42 items related to the vulnerability inspection in the contents defined in R.G.5.71 and classify it into 5 types. If the vulnerability inspection tool is developed based on the proposed analysis, it will be possible to improve the inspection efficiency of the cyber security vulnerability of the NPPs.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.145-153
• /
• 2018

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are widely used protocols for secure and encrypted communication over a computer network. However, there have been reported several security vulnerabilities of SSL/TLS over the years. The vulnerabilities can let an adversary carry out critical attacks on SSL/TLS enabled servers. In this paper, we have developed a system which can periodically scan SSL/TLS vulnerabilities on internal network servers and quickly detects, reports and visualizes the vulnerabilities. We have evaluated the system on working servers of Naver services and analyzed detected vulnerabilities. 816 vulnerabilities are found on 213 internal server domains (4.2 vulnerabilities on average) and most vulnerable servers are not opened to public. However, 46 server domains have old vulnerabilites which were found 2016. We could patch and response to SSL/TLS vulnerabilites of servers by leveraging the proposed system.

• Convergence Security Journal
• /
• v.19 no.2
• /
• pp.83-89
• /
• 2019

In accordance with information security compliance and security regulations, there is a need to develop regular and real-time concepts for cyber-infringement attacks against network system vulnerabilities in branch and periodic forms. Vulnerability Analysis Analysis It is judged that it will be a countermeasure against new hacking attack in case of concept validation by interworking with TOOL. Vulnerability check module is standardized in event attribute management and ease of operation. Opening in terms of global sharing of vulnerability data, owasp zap / Angry ip Etc. were investigated in the SIEM system with interlocking design implementation method. As a result, it was proved that the inspection events were monitored and transmitted to the SIEM console by the vulnerability module of web and network target. In consideration of this, ESM And SIEM system In this paper, we propose a new vulnerability analysis method based on the existing information security consultation and the results of applying this study. Refer to the integrated interrelationship analysis and reference Vulnerability target Goal Hacking It is judged to be a new active concept against invasion attack.

• Information Systems Review
• /
• v.19 no.3
• /
• pp.201-228
• /
• 2017

Vulnerability information, which can cause serious damage to information assets, has become a valuable commodity, thereby leading to the creation of a vulnerability market. Vulnerability information is traded on the vulnerability market from several hundred dollars to hundreds of thousands of dollars depending on its severity and importance, and the types and scope of the vulnerability markets are varying. Based on previous studies on vulnerability markets and hackers, this study empirically analyzed the effects of the security researcher's vulnerability research motivation on his/her vulnerability market use intention. The results are discussed as follows. First, vulnerability research self-efficacy had a significant effect on flow and on white and black market use intention but not on perceived benefit. Second, flow had a significant effect on perceived benefit and on black market use intention but had no effect on white market use intention. Third, perceived profit had a significant effect on white and black market use intention. Fourth, vulnerability research self-efficacy had a significant effect on perceived benefit through flow. Fifth, flow had a significant effect on white and black market use intention through perceived profit. These findings can be used to predict the behavior of security researchers who have experience in exploiting vulnerabilities.