• International Journal of Computer Science & Network Security
• /
• v.23 no.6
• /
• pp.169-175
• /
• 2023

Ethical hackers are using different tools and techniques to encounter malicious cyber-attacks generated by bad hackers. During the software development process, development teams typically bypass or ignore the security parameters of the software. Whereas, with the advent of online web-based software, security is an essential part of the software development process for implementing secure software. Security features cannot be added as additional at the end of the software deployment process, but they need to be paid attention throughout the SDLC. In that view, this paper presents a new, Ethical Hacking - Software Development Life Cycle (EH-SDLC) introducing ethical hacking processes and phases to be followed during the SDLC. Adopting these techniques in SDLC ensures that consumers find the end-product safe, secure and stable. Having a team of penetration testers as part of the SDLC process will help you avoid incurring unnecessary costs that come up after the data breach. This research work aims to discuss different operating systems and tools in order to facilitate the secure execution of the penetration tests during SDLC. Thus, it helps to improve the confidentiality, integrity, and availability of the software products.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.909-928
• /
• 2020

From the early 1970s, the US government began to recognize that penetration testing could not assure the security quality of products. Results of penetration testing such as identified vulnerabilities and faults can be varied depending on the capabilities of the team. In other words none of penetration team can assure that "vulnerabilities are not found" is not equal to "product does not have any vulnerabilities". So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed systematically and strictly. Therefore, the US government began to publish various standards related to the development methodology and evaluation procurement system embedding "security-by-design" concept from the 1980s. Security-by-design means reducing product's complexity by considering security from the initial phase of development lifecycle such as the product requirements analysis and design phase to achieve trustworthiness of product ultimately. Since then, the security-by-design concept has been spread to the private sector since 2002 in the name of Secure SDLC by Microsoft and IBM, and is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the actual field because the standard or guidelines related to Secure SDLC contain only abstract and declarative contents. Therefore, in this paper, we present the new framework in order to specify the level of Secure SDLC desired by enterprises. Our proposed CIA (functional Correctness, safety Integrity, security Assurance)-level-based security-by-design framework combines the evidence-based security approach with the existing Secure SDLC. Using our methodology, first we can quantitatively show gap of Secure SDLC process level between competitor and the company. Second, it is very useful when you want to build Secure SDLC in the actual field because you can easily derive detailed activities and documents to build the desired level of Secure SDLC.

• Review of KIISC
• /
• v.25 no.1
• /
• pp.26-31
• /
• 2015

악의적인 공격에 대해 안전한 소프트웨어를 개발하고자 하는 보안강화 활동은 소프트웨어개발 생명주기(SDLC)의 모든 단계에서 수행되어야 한다. 시큐어코딩은 개발 단계에서 적용될 수 있는 안전한 코딩 기법으로 실행코드가 지닐 수 있는 취약성의 근본 원인을 소스코드 수준에서 제거하고자 하는 시도이다. 그럼에도 불구하고 시큐어코딩을 구현활동의 일부로만 국한시켜 보는 시각은 기법이 갖는 장점을 충분히 살리지 못할 수 있다. 외국에서는 이미 시큐어코딩의 적용과 평가를 SDLC 수준에서 시행하고 있으며 시큐어 SDLC로 분류되는 BSIMM과 SAMM, MS SDL은 이러한 시도의 대표적인 사례라 할 수 있다. 본 고에서는 이들 보안 프레임워크를 대상으로 시큐어코딩이 어떻게 정의되고, 수행되며, 평가되는지 비교를 통해 효과적인 시큐어코딩 활동의 이해를 돕고자 한다.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.11 no.3
• /
• pp.926-930
• /
• 2010

This paper is about a development framework, which is required to develop of security system is based on component. With applying of SDLC(system development life cycle) of information system, the application of information security products DLC is required at this point of time. In this paper, we review NIST requirement specification of development method, requirement criteria of SDLC in each stage, and major security guidelines of risk assessment. Also we are reviewed major security element of SDLC, and to aid understanding of security framework based on component, present the relationship fo security design and DFD in respect of spoofing for the outside entity based on threat tree STRIDE.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.16 no.9
• /
• pp.828-837
• /
• 1991

본 논문에서는 CCITT에서 채택된 X.2.5 network과 IBM이 채택한 System network architecture(SNA)의 synchronous data link control(SDLC)간의 protocol converter의 성능 분석을 한다. 여기서 protocol converter의 link level map-ping method를 사용하여 구현 되었다고 가정한다. 성능 분석을 통하여 각종 parameter에 대한 throughput과 mean waiting time을 구하며, 다양한 paramerter에 대하여 최적의 값을 조사한다. 특히 converter가 추정한 SDLC frame이 X.25. network packetizing과 규정한 최대 data packet size 보다 더 클 경우에 frame을 분할하게 되는데. 분할방식에 있어서 full and remainder packetzing과 equal packetizing 도입하여 서로간의 성능을 비교한다. message를 분할 할 때 조격으로 나누는 것이 frame의 오류를 줄일 수 있기 때문에 전자보다 후자가 성능면에서 우수함을 알 수 있다.

• Journal of the Korea Society of Computer and Information
• /
• v.16 no.11
• /
• pp.179-187
• /
• 2011

Though any method in various software development methodology is selected and used in performing IT project, there are quite a few problems in applying it to the project environment, thus customizing effort as a reasonable method is continuously demanded. Therefore, the study attempted to track a basic frame formation process of quality management model applying the software development methodology based on SDLC that is widely used. The study analyzes and modelized an empirical cases of a financial company that is relatively highly rated by expert groups through a variety of trial and error and continued supplementation for it for a long time. And in addition to it, it analyzes cases of public institute project, derives problems, and also proposes a guideline related to creating artifact.

• International Journal of Computer Science & Network Security
• /
• v.21 no.7
• /
• pp.191-204
• /
• 2021

The software development life cycle (SDLC) is a procedure used to develop a software system that meets both the customer's needs and real-world requirements. The first phase of the SDLC involves creating a conceptual model that represents the involved domain in reality. In requirements engineering, building such a model is considered a bridge to the design and construction phases. However, this type of model can also serve as a basic model for identifying business processes and how these processes are interconnected to achieve the final result. This paper focuses on process modeling in organizations, per se, beyond its application in the SDLC when an organization needs further documentation to meet its growth needs and address regular changes over time. The resultant process documentation is created alongside the daily operations of the business process. The model provides visualization and documentation of processes to assist in defining work patterns, avoiding redundancy, or even designing new processes. In this paper, a proposed diagrammatic representation models each process using one diagram comprising five actions and two types of relations to build three levels of depiction. These levels consist of a static description, events, and the behavior of the modeled process. The viability of a thinging machine is demonstrated by re-modeling some examples from the literature.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.5
• /
• pp.115-126
• /
• 2012

It is very important to trace whether all the requirements has been reflected in the developed system. However, most existing researches apply Requirement Traceability Matrix(RTM) to the whole SDLC according to the development methodology. RTM has no practical value because it has not only too many pursuit items but also its tracking method is very complicated and the practical management in developing the information system is not accomplished nearly. Therefore, in this study, we proposed an enhanced RTM which was composed of only necessary items and allow us to manage the applied area effectively from Request for Proposal(RFP) or the proposal stage to SDLC stage then confirmed the effect through six actual applicable cases of information system development project of "K" company.

• Review of KIISC
• /
• v.26 no.1
• /
• pp.34-41
• /
• 2016

최근 사이버 공격은 분야와 대상을 막론하지 않고 곳곳에서 발생하고 있으며 소프트웨어의 보안 취약점을 이용한 지능적인 수법으로 지속적인 공격을 수행하는 APT 공격 또한 확산하고 있다. 이와 같은 공격을 예방하기 위해서는 공격에 직접 이용되는 소프트웨어 보안 취약점을 사전에 제거해야 한다. 소프트웨어 보안 취약점(vulnerability)의 원천 원인은 소프트웨어 허점, 결점, 오류와 같은 보안 약점(weakness)이다. 그러므로 소프트웨어에서 보안 약점은 개발 단계에서 완전히 제거하는 것이 가장 좋다. 이를 위해 소프트웨어 개발 생명주기(SDLC:Software Development Life Cycle) 전반에 걸쳐 보안성을 강화하는 활동을 수행한다. 이는 소프트웨어 배포 이후에 발생할 수 있는 보안 취약점에 대한 보안 업데이트 및 패치에 대한 비용을 효과적으로 감소시키는 방안이기도 한다. 본 논문에서는 소프트웨어 개발 단계 보안을 강화한 소프트웨어 개발 생명주기로서 시큐어 SDLC에 대한 주요 사례를 소개한다.

• The Magazine of the IEIE
• /
• v.11 no.2
• /
• pp.17-21
• /
• 1984

SNA(systems network architecture)는 가장 널리 이용되고 있는 네트워크 구성 방법의 하나로서 IBM 뿐만 아니라 FACOM, TANDEM 등의 타기종에서도 SNA 방식의 네트워크 구성 방법을 제공하고 있는데 국내에서는 SNA/SDLC 프로토콜에 의하여 호스트와 communication하는 IBM 3274형의 TCU(terminal control unit)에 2-바이트 한글의 처리 기능을 추가한 단말기들을 주로 이용하고 있다. 본 논고에서는 SNA의 개념 및 특성에 관한 간단한 소개와 더불어 3274 TCU의 기능, 한글 데이터의 표현 및 통신 방법 등에 관하여 간단히 기술하고자 한다.