• Journal of Information Processing Systems
• /
• v.6 no.1
• /
• pp.91-106
• /
• 2010

The rapid growth of communication and globalization has changed the software engineering process. Security has become a crucial component of any software system. However, software developers often lack the knowledge and skills needed to develop secure software. Clearly, the creation of secure software requires more than simply mandating the use of a secure software development lifecycle; the components produced by each stage of the lifecycle must be correctly implemented for the resulting system to achieve its intended goals. This study demonstrates that a more effective approach to the development of secure software can result from the integration of carefully selected security patterns into appropriate stages of the software development lifecycle to ensure that security designs are correctly implemented. The goal of this study is to provide developers with an Integrated Security Development Framework (ISDF) that can assist them in building more secure software.

• Journal of Advanced Navigation Technology
• /
• v.14 no.2
• /
• pp.247-252
• /
• 2010

According to IT technology has evolved, a lot of information are moving through network. The correct internet users can obtain useful information. But incorrect users expose information and cause various damage for malicious purpose. To solve this problem, various information security products are being developed. For development of secure information security product, the development process should be secure. Also evaluation system is being used about product evaluation and security module for the assurance of secure product. In this paper, we proposed assurance system for secure development of information security product. Therefore this paper proposed more secure product development and assurance scheme.

• Journal of Korean Society for Quality Management
• /
• v.47 no.1
• /
• pp.151-162
• /
• 2019

Purpose: This study is in order to secure high quality of military supplies, it is important to secure design quality in the development phase. I will review how to establish a quality assurance system in the development phase based on the author's seminar presentation contents and application example of Hanwha Systems Co., Ltd. Methods: To guarantee design quality in the development phase, in 2002, quality assurance system that is adequate for SQA(Software Quality Assurance)'s requirements of CMM(Capability Maturity Model) was conduct. In 2009, based on the CMMI(Capability Maturity Model Integration) Level 5, there has been continuous and reenforced quality assurance activities. Results: By suggesting the construction and a case study on application of R&D quality assurance, it would be helpful for companies aiming to construct or enhance quality assurance system. Conclusion: To secure high quality for military supplies, a development QA system should be established to secure quality in the development phase. In addition, Total life cycle QA system for development, mass production and operation phase should be reestablished.

• Nuclear Engineering and Technology
• /
• v.46 no.1
• /
• pp.47-54
• /
• 2014

The protection of nuclear safety software is essential in that a failure can result in significant economic loss and physical damage to the public. However, software security has often been ignored in nuclear safety software development. To enforce security considerations, nuclear regulator commission recently issued and revised the security regulations for nuclear computer-based systems. It is a great challenge for nuclear developers to comply with the security requirements. However, there is still no clear software development process regarding security activities. This paper proposes an integrated development process suitable for the secure development requirements and system security requirements described by various regulatory bodies. It provides a three-stage framework with eight security activities as the software development process. Detailed descriptions are useful for software developers and licensees to understand the regulatory requirements and to establish a detailed activity plan for software design and engineering.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.909-928
• /
• 2020

From the early 1970s, the US government began to recognize that penetration testing could not assure the security quality of products. Results of penetration testing such as identified vulnerabilities and faults can be varied depending on the capabilities of the team. In other words none of penetration team can assure that "vulnerabilities are not found" is not equal to "product does not have any vulnerabilities". So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed systematically and strictly. Therefore, the US government began to publish various standards related to the development methodology and evaluation procurement system embedding "security-by-design" concept from the 1980s. Security-by-design means reducing product's complexity by considering security from the initial phase of development lifecycle such as the product requirements analysis and design phase to achieve trustworthiness of product ultimately. Since then, the security-by-design concept has been spread to the private sector since 2002 in the name of Secure SDLC by Microsoft and IBM, and is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the actual field because the standard or guidelines related to Secure SDLC contain only abstract and declarative contents. Therefore, in this paper, we present the new framework in order to specify the level of Secure SDLC desired by enterprises. Our proposed CIA (functional Correctness, safety Integrity, security Assurance)-level-based security-by-design framework combines the evidence-based security approach with the existing Secure SDLC. Using our methodology, first we can quantitatively show gap of Secure SDLC process level between competitor and the company. Second, it is very useful when you want to build Secure SDLC in the actual field because you can easily derive detailed activities and documents to build the desired level of Secure SDLC.

• International Journal of Computer Science & Network Security
• /
• v.23 no.6
• /
• pp.169-175
• /
• 2023

Ethical hackers are using different tools and techniques to encounter malicious cyber-attacks generated by bad hackers. During the software development process, development teams typically bypass or ignore the security parameters of the software. Whereas, with the advent of online web-based software, security is an essential part of the software development process for implementing secure software. Security features cannot be added as additional at the end of the software deployment process, but they need to be paid attention throughout the SDLC. In that view, this paper presents a new, Ethical Hacking - Software Development Life Cycle (EH-SDLC) introducing ethical hacking processes and phases to be followed during the SDLC. Adopting these techniques in SDLC ensures that consumers find the end-product safe, secure and stable. Having a team of penetration testers as part of the SDLC process will help you avoid incurring unnecessary costs that come up after the data breach. This research work aims to discuss different operating systems and tools in order to facilitate the secure execution of the penetration tests during SDLC. Thus, it helps to improve the confidentiality, integrity, and availability of the software products.

• The KIPS Transactions:PartA
• /
• v.11A no.6
• /
• pp.439-450
• /
• 2004

Mobile agents are autonomous and dynamic entities that can migrate among various nodes in the network. Java's Jini framework facilitates mobile agent system development, providing hey features for distributed network programming. However, due to the security weakness, Jinil.0 service has a fundamental limitation on developing mobile agent systems which support secure remote communications. In this paper, we describe a Jini2.0-based secure mobile agent system named SecureJMoblet. On the top of Jini2.0, the system provides basic functionalities of a mobile agent system such as creation, transfer and control. In addition, with the SeureJS developed for secure JavaSpace service, SecureJMoblet supports a secure object repository and a reliable communication among mobile agents.

• Convergence Security Journal
• /
• v.18 no.2
• /
• pp.69-76
• /
• 2018

The purpose of this study is to prevent cyber crime in private company systems by applying secure coding and identify its problems. Three experiments were conducted. In Experiment 1, a security manager was participated and gave advise to the developer to follow secure coding guidelines. In Experiment 2, a security manager did not participate, but let the developer himself committed on secure coding. In Experiment 3, a security manager provided reports on weaknesses of each package source to the developer and the developer was only focused on source development. The research results showed that the participation of a security manager on development raised secure coding compliance rate and finished the project within a given periods. Furthermore, it was better to entrust a security manager with the task of following the secure coding guide than the developer, which raised secure coding compliance rate and achieved project objectives faster. Further implications were discussed.

• Journal of IKEEE
• /
• v.22 no.2
• /
• pp.242-249
• /
• 2018

In this paper, we identify the code vulnerabilities that can be automatically detected through Visual Studio (VS) compiler and code analyzer based on a secure coding rule set which is optimized for development of battlefield information system. Then we describe a weak point item that can be dealt with at the implementation stage without depending on the understanding or ability of the individual programmer's secure coding through the implementation of the secure coding library. Using VS compiler and the code analyzer, the developers can detect only about 38% of security weaknesses. But with the help of the proposed secure coding library, about 48% of security weaknesses can be detected and prevented in the proactive diagnosis in the development stage.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.2
• /
• pp.646-663
• /
• 2014

Scrum is one of the most popular and efficient agile development methods. However, like other agile methods such as Extreme Programming (XP), Feature Driven Development (FDD), and the Dynamic Systems Development Method (DSDM), Scrum has been criticized because of lack of support to develop secure software. Thus, in 2011, we published research proposing the idea of a security backlog (SB). This paper represents the continuation of our previous research, with a focus on the evaluation in industry-based case study. Our findings highlight an improved agility in Scrum after the integration of SB. Furthermore, secure software can be developed quickly, even in situations involving requirement changes of software. Based on our experimental findings, we noticed that, when integrating SB, it is quite feasible to develop secure software using an agile Scrum model.