• Journal of Internet Computing and Services
• /
• v.14 no.4
• /
• pp.35-42
• /
• 2013

Nowadays many tasks are performed using the Web. Accordingly, many web-based application systems with various and complicated functions are being requested. In order to develop such web-based application systems efficiently, object-oriented analysis and design methodology is used, and Java EE(Java Platform, Enterprise Edition) technologies are used for its implementation. The security issues have become increasingly important. For such reasons, Java EE provides mechanism related to security but it does not provide interconnections with object-oriented analysis and design methodology for developing web application system. Consequently, since the security method by Java EE mechanism is implemented at the last step only, it is difficult to apply constant security during the whole process of system development from the requirement analysis to implementation. Therefore, this paper suggests an object-oriented analysis and design methodology emphasized in the security for secure web application systems from the requirement analysis to implementation. The object-oriented analysis and design methodology adopts UMLsec, the modeling language with an emphasis on security for the requirement analysis and system analysis & design with regard to security. And for its implementation, RBAC (Role Based Access Control) of servlet from Java EE technologies is used. Also, the object-oriented analysis and design methodology for the secure web application is applied to online banking system in order to prove its effectiveness.

• Convergence Security Journal
• /
• v.11 no.4
• /
• pp.43-49
• /
• 2011

Web-based health information provides a lot of conveniences, however the security vulnerabilities that appear in the network environment without the risk of exposure in the use of information are growing. Web-based medical information security issues when accessing only the technology advances, without attempting to seek a safe methodology are to increase the threat element. So it is required. to take advantage of web-based information security measures as a web-based access control security mechanism-based design. This paper is based on software architecture, design, ideas and health information systems were designed based on access control security mechanism. The methodologies are to derive a new design procedure, to design architecture and algorithms that make the mechanism functio n. To accomplish this goal, web-based access control for multiple patient information architecture infrastructures is needed. For this software framework to derive features that make the mechanism was derived based on the structure. The proposed system utilizes medical information, medical information when designing an application user retrieves data in real time, while ensuring integration of encrypted information under the access control algorithms, ensuring the safety management system design.

• Journal of the Korea Computer Industry Society
• /
• v.8 no.4
• /
• pp.253-262
• /
• 2007

As the internet environment is applied in the various service field, the recognition on security is increasing. Because the authentication methods for web service user do not confirm person oneself, the serious problems of reliability, safety and security can be caused. In order to solve this problems, the authentication methods of user id and password or authentication key is used. Because the password and authentication key using the existent authentication methods for security is composed of a string, authentication information can easily hacked or leaked by hackers, and the serious problems of security can be caused. In this paper, in order to improve the web security, an authentication module using the fingerprint that have the unique properties of person is proposed. As the proposed module makes use of fingerprint authentication, the security of the web service user from hackers can be maintained. The proposed method is more excellent than the existent method in the web security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.1
• /
• pp.59-74
• /
• 2020

The web space where web applications run is the cyber information warfare of attackers and defenders due to the open HTML. In the cyber attack space, about 84% of worldwide attacks exploit vulnerabilities in web applications and software. It is very difficult to detect web vulnerability attacks with security products such as web firewalls, and high labor costs are required for security verification and assurance of web applications. Therefore, rapid vulnerability detection and response in web space by automated software is a key and effective cyber attack defense strategy. In this paper, we establish a security risk management model by intensively analyzing security threats against web applications and software, and propose a method to effectively diagnose web and application vulnerabilities. The testing results on the commercial service are analyzed to prove that our approach is more effective than the other existing methods.

• The Transactions of the Korea Information Processing Society
• /
• v.5 no.12
• /
• pp.3165-3175
• /
• 1998

다양한 연구분야에서 웹을 대부분 응용의 프레임워크 또는 GUI 사용하려는 거역할 수 없는 흐름에 발 맞추어 국내에서도 전자상거래와 관련한 법규가 가시화될 전망으로 웹을 이용한 상거래 움직임 또한 더욱 활발할 것으로 보인다. 이와 같이 다양해지는 웹 응용을 위해서는 지금까지의 웹 보안 기술로 부인봉쇄와 같은 보안 서비스를 제공하지 못하고 있다. 본 논문에서는 최근 다양해지는 웹 보안 요구 사항을 만족시키는 프로토콜로 IETF에 의해 제안된 S-HTTP(Secure HTTP, Secure HyperText Transfer Protocol)를 기반으로 하는 웹 시스템인 SecWeb의 개발을 위한 시스템 모델, 구현 환경 및 개발된 시스템 그리고 적용 가능한 시나리오를 기술하였다. 개발된 SecWeb의 대표적인 응용분야로는 전자서명에 의한 부인봉쇄서비스가 중요하게 요구되는 분야들을 생각할 수 있다.

• 한국IT서비스학회:학술대회논문집
• /
• 2003.11a
• /
• pp.407-412
• /
• 2003

인터넷 기술을 기반으로 하는 웹기반 시스템은 웹 브라우저를 이용한 편리한 사용성과 하이퍼링크를 이용한 효과적인 연결성을 TCP/IP 네트워크 위에서 경제적으로 제공함으로서 최근 급속히 개발이 증가하고 있다. 그러나 운영환경에서 서버 측의 다양한 플랫폼과 운영체제, 그리고 클라이언트 측의 다양한 웹 브라우저가 혼재되어 존재하는 웹기반 정보시스템의 특성은 정보시스템의 개발 뿐 만 아니라 감리에서도 기존의 메인프레임 및 클라이언트/서버 시스템의 경우와 다른 특성을 갖는다. 본 논문에서는 웹기반 정보시스템의 특성과 보안감리 규격인 SSE-CMM의 프로세스 모델에 대하여 분석한 후 웹기반 정보시스템의 보안감리를 위한 새로운 프로세스 모델에 대하여 논하였다.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2023.07a
• /
• pp.221-223
• /
• 2023

오늘날 전 세계적으로 연결되어 있는 인터넷을 통해 사용자들은 아무런 제약 없이 의사소통 및 거래 등 다양한 활동을 할 수 있게 되었다. 그러나 이러한 인터넷상의 자유를 범죄의 수단으로 한 인터넷상의 사이버 범죄가 급속하게 증가하고 있다. 특히 인터넷 중 하나로 분류되는 다크웹에서는 심각한 중대 범죄들이 많이 발생하고 있는데, 다크웹은 일반 네트워크와 달리 암호화 기술을 사용하는 특정 네트워크를 통해서만 접속이 가능하기 때문에 사용자에게 익명성과 비밀성을 제공할 수 웹 사이트이다. 이러한 다크웹의 특성으로 인해 마약 거래, 아동 포르노 유포, 개인정보 유출 등 다양한 사이버 범죄가 발생하고 있다. 본 논문에서는 이러한 다크웹 상에서 발생하는 주요 범죄 사례를 알아보고 이에 대한 포렌식 수사 기법의 동향을 살펴보고자 한다.

• Journal of Internet Computing and Services
• /
• v.23 no.1
• /
• pp.49-68
• /
• 2022

The operation system of a shipping company is still maintaining the mainframe based terminal access environment or the client/server based environment. Nowadays shipping companies that try to migrate it into a web-based environment are increasing. However, in the transition, if the design is processed by the old configuration and knowledge without considering the characteristics of the web-based environment and shipping business, various security vulnerabilities will be revealed at the actual system operation stage, and system maintenance costs to fix them will increase significantly. Therefore, in the transition to a web-based environment, a security design must be carried out from the design stage to ensure system safety and to reduce security-related maintenance costs in the future. This paper examines the characteristics of various threat modeling techniques, selects suitable modeling technique for the operation system of a shipping company, applies data flow diagram and STRIDE threat modeling technique to shipping business, derives possible security threats from each component of the data flow diagram in the attacker's point of view, validates the derived threats by mapping them with attack library items, represents the attack tree having various attack scenarios that attackers can attempt to achieve their final goals, organizes into the checklist that has security check items, associated threats and security requirements, and finally presents 23 security requirements that can respond to threats. Unlike the existing general security requirements, the security requirements presented in this paper reflect the characteristics of shipping business because they are derived by analyzing the actual business of a shipping company and applying threat modeling technique. Therefore, I think that the presented security requirements will be of great help in the security design of shipping companies that are trying to proceed with the transition to a web-based environment in the future.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• v.9 no.2
• /
• pp.776-779
• /
• 2005

The Program language for web, such as PHP, JSP, ASP and so on, make it possible to offer more user interactive page by using with HTML. These language and program have been developed with great speed, but security part could not catch up with this development. As a result, it has brought a problem which is expose many server systems to the outside. In this research, we implement Web and SQL analysis program which can analysis hacking causing factor. With this analysis program, we will show you how much efficient it has compared with security patch for server system.

• Review of KIISC
• /
• v.17 no.1
• /
• pp.63-78
• /
• 2007

국제표준화기구 ITU-T SG17 WP2에서는 정보통신 보안에 관한 표준을 주도하는 연구그룹으로, 산하 7개의 연구과제(Question)를 구성하여 정보보호 표준화 작업을 진행하고 있다. 이 연구과제들 중 Q.9/17에서는 안전한 통신 서비스라는 이름으로 모바일 보안, 홈네트워크 보안, 웹 서비스 보안, 그리고 안전한 응용 프로토콜 등에 대한 표준을 개발 중에 있다. 현재, Q.9/17에서 제정된 표준은 한국과 일본이 공동으로 제안하여 2004년 3월에 제정된 모바일보안 2건(X.1121, X.1122)과 OASIS의 제안으로 2006년 6월에 제정된 웹서비스 보안 2건(X.1141, X.1142)이 표준으로 제정된 바 있다. 그리고 Q.9/17에서 작업중에 있는 표준초안은 모바일 보안 3건, 홈네트워크 보안 3건, 웹서비스 보안 1건, 안전한 응용 프로토콜 2건, P2P보안 2건 및 RFID보안 1건에 대해서 개발중에 있다. 특히, 이번 12월 제네바 회의에서는 한국 주도로 개발된 홈네트워크를 위한 보안기술 프레임워크(X.homesec-1) 표준초안이 SG17 총회에서 승인되어 국가별 의견수렴(consent)을 추진키로 합의되었다. 본 논문에서는 Q.9/17에서 수행되고 있는 표준초안들에 대해 간단히 소개하고, 2006년 9월 캐나다 오타와 회의와 2006년 12월 스위스 제네바 회의에서의 주요쟁점사항 및 토론 결과, 그리고 향후 추진방향을 제시하고자 한다.