• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.909-928
• /
• 2020

From the early 1970s, the US government began to recognize that penetration testing could not assure the security quality of products. Results of penetration testing such as identified vulnerabilities and faults can be varied depending on the capabilities of the team. In other words none of penetration team can assure that "vulnerabilities are not found" is not equal to "product does not have any vulnerabilities". So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed systematically and strictly. Therefore, the US government began to publish various standards related to the development methodology and evaluation procurement system embedding "security-by-design" concept from the 1980s. Security-by-design means reducing product's complexity by considering security from the initial phase of development lifecycle such as the product requirements analysis and design phase to achieve trustworthiness of product ultimately. Since then, the security-by-design concept has been spread to the private sector since 2002 in the name of Secure SDLC by Microsoft and IBM, and is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the actual field because the standard or guidelines related to Secure SDLC contain only abstract and declarative contents. Therefore, in this paper, we present the new framework in order to specify the level of Secure SDLC desired by enterprises. Our proposed CIA (functional Correctness, safety Integrity, security Assurance)-level-based security-by-design framework combines the evidence-based security approach with the existing Secure SDLC. Using our methodology, first we can quantitatively show gap of Secure SDLC process level between competitor and the company. Second, it is very useful when you want to build Secure SDLC in the actual field because you can easily derive detailed activities and documents to build the desired level of Secure SDLC.

• International Journal of Computer Science & Network Security
• /
• v.23 no.6
• /
• pp.169-175
• /
• 2023

Ethical hackers are using different tools and techniques to encounter malicious cyber-attacks generated by bad hackers. During the software development process, development teams typically bypass or ignore the security parameters of the software. Whereas, with the advent of online web-based software, security is an essential part of the software development process for implementing secure software. Security features cannot be added as additional at the end of the software deployment process, but they need to be paid attention throughout the SDLC. In that view, this paper presents a new, Ethical Hacking - Software Development Life Cycle (EH-SDLC) introducing ethical hacking processes and phases to be followed during the SDLC. Adopting these techniques in SDLC ensures that consumers find the end-product safe, secure and stable. Having a team of penetration testers as part of the SDLC process will help you avoid incurring unnecessary costs that come up after the data breach. This research work aims to discuss different operating systems and tools in order to facilitate the secure execution of the penetration tests during SDLC. Thus, it helps to improve the confidentiality, integrity, and availability of the software products.

• Convergence Security Journal
• /
• v.12 no.6
• /
• pp.93-99
• /
• 2012

As the most common application development of software development time, error-free quality, adaptability to frequent maintenance, such as the need for large and complex software challenges have been raised. When developing web applications to respond to software reusability, reliability, scalability, simplicity, these quality issues do not take into account such aspects traditionally. In this situation, the traditional development methodology to solve the same quality because it has limited development of new methodologies is needed. Quality of applications the application logic, data, and architecture in the entire area as a separate methodology can achieve your goals if you do not respond. In this study secure coding, the big issue, web application factors to deal with security vulnerabilities, web application architecture, design procedure is proposed. This proposal is based on a series of ISO/IEC9000, a web application architecture design process.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.3
• /
• pp.121-134
• /
• 2017

With rapid increasing the development and use of IoT Devices, requirements for safe IoT devices and services such as reliability, security are also increasing. In Security engineering, SDLC (Secure Development Life Cycle) is applied to make the trustworthy system. Secure Development Life Cycle has 4 big steps, Security requirements, Design, Implementation and Operation and each step has own goals and activities. Deriving security requirements, the first step of SDLC, must be accurate and objective because it affect the rest of the SDLC. For accurate and objective security requirements, Threat modeling is used. And the results of the threat modeling can satisfy the completeness of scope of analysis and the traceability of threats. In many countries, academic and IT company, a lot of researches about drawing security requirements systematically are being done. But in domestic, awareness and researches about deriving security requirements systematically are lacking. So in this paper, I described about method and process to drawing security requirements systematically by using threat modeling including DFD, STRIDE, Attack Library and Attack Tree. And also security requirements are described via Common Criteria for delivering objective meaning and broad use of them.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.2
• /
• pp.127-137
• /
• 2012

Recently, as modern Internet uses mashups, Web 3.0, JavaScript/AJAX widely, the rate at which new vulnerabilities are being discovered is increasing rapidly. It can subsequently introduce big security threats. In order to efficiently mitigate these web application vulnerabilities and security threats, it is needed to rank vulnerabilities based on severity and consider the severe vulnerabilities during a specific phase of software development lifecycle (SDLC) for web applications. In this paper, we have first verified whether the risk rating methodology of OWASP Top 10 vulnerabilities is a reasonable one or not by analyzing the vulnerability data of web applications in the US National Vulnerability Database (NVD). Then, by inspecting the vulnerability information of web applications based on OWASP Top-10 2010 list and CWE (Common Weakness Enumeration) directory, we have mapped the web-related entries of CWE onto the entries of OWASP Top-10 2010 and prioritized them. We have also presented which phase of SDLC is associated with each vulnerability entry. Using this approach, we can prevent or mitigate web application vulnerabilities and security threats efficiently.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.38C no.4
• /
• pp.335-343
• /
• 2013

If the SW weaknesses, which are the main cause of cyber breaches, are analyzed and removed in the SW development stages, the cyber breaches can be prevented effectively. In case of Domestic, removing SW weaknesses by applying Secure SDLC(SW Development Life Cycle) has become mandatory. In order to analyze and remove the SW weaknesses effectively, reliable SW weakness diagnostic tools are required. Therefore, we propose the functional requirements of diagnostic tool which is suitable for the domestic environment and the evaluation methodology which can assure the reliability of the diagnostic tools. Then, to analyze the effectiveness of the proposed evaluation framework, both demonstration results and process are presented.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1463-1475
• /
• 2019

Unlike the past, modern high-tech weapons systems are complex and many components are combined to form a weapons system. In addition, unlike the past, where hardware was the main component, the proportion of software is increasing every year, making the security assurance activities of weapon systems more difficult than in the past. The United States has been working to ensure the security of the weapons systems they develop since the 1960s. The findings were made to US internal standards, updated regularly, and are now being applied as RMF. In Korea, research activities have been conducted since 2010 based on the RMF of the United States. However, actual RMF application cases in the United States cannot be classified and obtained, and there are no official cases in Korea. In this paper, we apply Korean RMF research that has been studied so far to apply to the recently developed real weapon system. Thus, detailed guidelines for applying the RMF are presented.

• Journal of Internet Computing and Services
• /
• v.22 no.6
• /
• pp.83-89
• /
• 2021

The RMF (Cyber Security Risk Management Framework) is a more strengthened U.S. defense cybersecurity framework that is currently used throughout the U.S. federal government beyond the defense sector. In the past decade, the proportion of cyber warfare in non-regular warfare encountered by the United States, especially cyberattacks caused by China and North Korea, has been increasing. In the end, the U.S. is newly establishing an RMF system to prepare a more strengthened cybersecurity policy at the pan-government level, and the U.S. Department of Defense aims to expand the U.S. defense RMF evaluation policy beyond the federal government level. The South Korean military has already applied RMF at the request of the U.S. that notified the policy to apply RMF when obtaining F-35A. The application of RMF by the Korean military is no longer inevitable. Now is the time for the Korean military to seriously think about what to prepare for the early establishment of a successful Korean RMF system.

• KIPS Transactions on Software and Data Engineering
• /
• v.9 no.12
• /
• pp.387-402
• /
• 2020

Conventional automotive development has mainly focused on ensuring correctness and safety and security has been relatively neglected. However, as the number of automotive hacking cases has increased due to the increased Internet connectivity of automobiles, international organizations such as the United Nations Economic Commission for Europe(UNECE) are preparing cybersecurity regulations to ensure security for automotive development. As with other IT products, automotive cybersecurity regulation also emphasize the concept of "Security by Design", which considers security from the beginning of development. In particular, since automotive development has a long lifecycle and complex supply chain, it is very difficult to change the architecture after development, and thus Security by Design is much more important than existing IT products. The problem, however, is that no specific methodology for Security by Design has been proposed on automotive development process. This paper, therefore, proposes a specific methodology for Security by Design on Automotive development. Through this methodology, automotive manufacturers can simultaneously consider aspects of functional safety, and security in automotive development process, and will also be able to respond to the upcoming certification of UNECE automotive cybersecurity regulations.