- Volume 5 Issue 4
About 75% of software security incidents are caused by software vulnerability. In addition, the after-market repairing cost of the software is higher by more than 30 times than that in the design stage. In this background, the secure coding has been proposed as one of the ways to solve this kind of maintenance problems. Various institutions have addressed the weakness patterns of the standard software. A new Korean programming language Saesark has been proposed to resolve the security weakness on the language level. However, the previous study on Saesark can not resolve the security weakness caused by the API. This paper proposes a way to resolve the security weakness due to the API. It adopts a static analyzer inspecting dangerous methods. It classifies the dangerous methods of the API into two groups: the methods of using tainted data and those accepting in-flowing tainted data. It analyses the security weakness in four steps: searching for the dangerous methods, configuring a call graph, navigating a path between the method for in-flowing tainted data and that uses tainted data on the call graph, and reporting the security weakness detected. To measure the effectiveness of this method, two experiments have been performed on the new version of Saesark adopting the static analysis. The first experiment is the comparison of it with the previous version of Saesark according to the Java Secure Coding Guide. The second experiment is the comparison of the improved Saesark with FindBugs, a Java program vulnerability analysis tool. According to the result, the improved Saesark is 15% more safe than the previous version of Saesark and the F-measure of it 68%, which shows the improvement of 9% point compared to 59%, that of FindBugs.
Secure Coding;Korean Programming Language;Safety Programming Language;Saesark
- MSIP, SPRI, Software Industry Annual Report, 2014.
- I. H. Kim, Facebook users private information leaked six million people [Internet], http://news.inews24.com/php/news-_view.php?g_serial=754079&g_menu=020600.
- A. Buncombe, "Sony Pictures hack: US intelligence chief says North Korea cyberattack was 'most serious' ever against US interests," The Independent, 2015.
- S. W. Lee, "Study on the information system aduit check list for enhanced privacy," MS. dissertation, Konkuk University, Seoul, ROK, 2015.
- T. Lanowitz, "Now is the time for security at the application level," Gartner, 2005.
- G. Tassey, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project 7007, 2002.
- J. McManus and D. Mohindra, The CERT Sun Microsystems Secure Coding Standard for java [Internet], http://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=34669015.
- OWASP, Welcome to OWASP [Internet], https://www.owasp.org/index.php/Main_Page.
- CWE, A community Developed Dictionary of Software Weakness Types [Internet], http://cwe.mitre.or/.
- JSF, The F-35 Lightning II Program [Internet], http://www.jsf.mil/.
- MISRA, The Motor Industry Software Reliability Association [Internet], http://www.misra.org.uk/.
- J. S. Cheon, D. H. Kang, and G. Woo, "A Concise Korean Programming Language Sprout," Journal of KIISE, Vol.42, No.4, pp.496-503, 2015. https://doi.org/10.5626/JOK.2015.42.4.496
- D. H. Kang, Y. E. Kim, and G. Woo, "A Study on Improving Runtime Safety of a Sprout through Analysis of Java Secure Coding Guide," Proc. of the KIISE Korea Computer Congress 2015, pp.1751-1753, 2015.
- OWASP, "OWASP Top 10-2013," The Ten Most Critical Web Application Security Risks, 2013.
- B. Martin, M. Brown, A. Paller, and D. Kirby. "2011 CWE/SANS top 25 most dangerous software errors," Common Weakness Enumeration, 2011.
- HP, IT Security in the Idea Economy [Internet], https://www.hpe.com/us/en/solutions/security.html.
- Coverity, Coverity Software Testing Platform [Internet], http://www.coverity.com/products/.
- IBM, IBM Security AppScan [Internet], http://www-03.ibm.com/software/products/en/appscan.
- FindBugs, FindBugs because it's easy [internet], http://findbugs.sourceforge.net/findbugs2.html.
- N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Q. Zhou, "Evaluating static analysis defect warnings on production software," Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, ACM, pp.1-8, 2007.
- Evenstar, BigLook is the financial and enterprise security weaknesses SW diagnostic system optimized for enterprise environments [Internet], http://www.evenstar.co.kr/index-.php.
- Trinitysoft, The Trinitysoft is committed to providing the best Web application security solutions [Internet], http://www.trinitysoft.co.kr/page/solution_04.
- GTONE, SecurityPrism is secure coding solution to ensure safe application since the early stages of development [Internet], http://www.gtone.co.kr/main/ag/sp.php.
- Fasoo, SPARROW is a source code analysis tool, using static analysis [internet], http://www.fasoo.com/site/fasoo/sourcecodeanalysis/sparrow.do.
- Y. E. Kim, J. W. Song, and G. Woo, "A Design of a Korean Programming Language Ensuring Run-Time Safety through Categorizing C Secure Coding Rules," Journal of KIISE, Vol.42, No.4, pp.487-495, 2015. https://doi.org/10.5626/JOK.2015.42.4.487
- V. B. Livshits and M. S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Usenix Security, pp.18-18, 2005.
- D. E. Knuth, "An empirical study of FORTRAN programs," Software: Practice and Experience, Vol.1, No.2, pp.105-133, 1971. https://doi.org/10.1002/spe.4380010203
- A. V. Aho, R. Sethi, and J. D. Ullamn, "Compilers: Principles, Techniques, and Tools," 2nd ed., PEARSON, 2014.
- T. Boland and P. E. Black, "Juliet 1.1 C/C++ and Java test suite," Computer, Vol.10, No.45, pp.88-90, 2012.
- NIST and NSA CAS, Juliet Test Suite for Java and C/C++ [Internet], https://samate.nist.gov/SRD/testsuite.php.
Grant : BK21플러스
Supported by : 부산대학교