Cost Based Vulnerability Control Method Using Static Analysis Tool

정적 분석 툴을 이용한 비용 기반의 취약점 처리 방안

  • Received : 2015.11.30
  • Accepted : 2016.01.22
  • Published : 2016.03.31


When, Software is developed, Applying development methods considering security, it is generated the problem of additional cost. These additional costs are caused not consider security in many developing organization. Even though, proceeding the developments, considering security, lack of ways to get the cost of handling the vulnerability throughput within the given cost. In this paper, propose a method for calculating the vulnerability throughput for using a security vulnerability processed cost-effectively. In the proposed method focuses on the implementation phase of the software development phase, leveraging static analysis tools to find security vulnerabilities in CWE TOP25. The found vulnerabilities are define risk, transaction costs, risk costs and defines the processing priority. utilizing the information in the CWE, Calculating a consumed cost in a detected vulnerability processed through a defined priority, and controls the vulnerability throughput in the input cost. When applying the method, it is expected to handle the maximum risk of vulnerability in the input cost.


Vulnerability Treatment;Cost Based;Static Analysis


  1. Gartner, Now is the time for security at Application Level [Internet],
  2. Department of Homeland Security, Practical Measurement Framework for Software Assurance and Information Security [Internet],
  3. NIST, The Economic Impacts of Inadequate Infrastructure for Software Testing, 2002.
  4. M. G. Choi and M. J. Jeon, "Analysis of Methodologies for Security Development Lifecycle for Security Enhancement System," KIMS Spring Symposium, 2010, pp.418-425. 2010.
  5. Microsoft, Introduction to the Microsoft Security Development Life cycle [Internet],
  6. NIPA Software Engineering Center, Software Engineering Withe Book, ch.3, pp.176-183, 2013.
  7. Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities," in Security and Privacy, 2006 IEEE Symposium on, pp.258-263. IEEE, 2006.
  8. Sung min Ahn, Min Sik Jin, and Kyu Jin Cho, "Detecting Software security vulnerability with of Software Security Vulnerabilities," Communication of the Korean Institute of Information Scientists and Engineer, Vol.28, No.2, pp.32-36, 2010.
  9. Mitre, CWE./SANS Top 25 [Internet],
  10. Mitre, CWSS [Internet],
  11. Leung, Hareton and Zhang Fan, "Software cost estimation," Handbook of Software Engineering, Hong Kong Polytechnic University, 2002.
  12. S. K. Choi and E. H. Choi, "Study on validating proper System Requirements by using Cost Estimations Methodology," KCSA Transactions on Convergence Security, Vol.13, No.5, pp.97-105, 2013.
  13. HP fortify [Internet],
  14. Sung hae Kim, Jin ho Joo, Gunsoo Lee, and Gi hwon Kown, "Implementation of Code Vulnerabilities Checker for Secure Software," in Proceedings of the Korean Society For Internet Information, Vol.2010, No.6, pp,605-608, 2010.


Grant : 자율지능형 지식/기기협업 프레임워크 기술 개발

Supported by : 정보통신기술진흥센터