• Journal of KIISE
• /
• v.42 no.4
• /
• pp.487-495
• /
• 2015

Since most of information is computerized nowadays, it is extremely important to promote the security of the computerized information. However, the software itself can threaten the safety of information through many abusive methods enabled by coding mistakes. Even though the Secure Coding Guide has been proposed to promote the safety of information by fundamentally blocking the hacking methods, it is still hard to apply the techniques on other programming languages because the proposed coding guide is mainly written for C and Java programmers. In this paper, we reclassified the coding rules of the Secure Coding Guide to extend its applicability to programming languages in general. The specific coding guide adopted in this paper is the C Secure Coding Guide, announced by the Ministry of Government Administration and Home Affairs of Korea. According to the classification, we applied the rules of programming in Sprout, which is a newly proposed Korean programming language. The number of vulnerability rules that should be checked was decreased in Sprout by 52% compared to C.

• Journal of Digital Convergence
• /
• v.13 no.1
• /
• pp.257-262
• /
• 2015

The ministry of security and public administration provide the secure coding guide that can remove the vulnerability of applications and defend cyber attack from the coding step because cyber attack like the hacking about 75% abusing the vulnerability of applications. In this paper we find the oder of priority and did the criticality analysis used by AHP about 7 items in the secure coding which the ministry of security and public administration provide. The result is decided that 'exception handling' is the most important item. There is no secure coding items in software supervision currently, therefore the result of the research will make good use audit standards in the process of the software development.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2014.05a
• /
• pp.595-598
• /
• 2014

The cyber attacks of recent attacks that target zero-day exploit security vulnerabilities before the security patch is released (Zero Day) attack, the web site is without the Lord. These attacks, those that use the vulnerability of security that is built into the software itself is in most cases, cyber attacks that use the vulnerability of the security of the source code, in particular, has a characteristic response that are difficult to security equipment. Therefore, it is necessary to eliminate the security vulnerability from step to implement the software to prevent these attacks. In this paper, we try to design a Secure Coding Guide support tool to eliminate the threat of security from the stage of implementation.

• Convergence Security Journal
• /
• v.18 no.2
• /
• pp.69-76
• /
• 2018

The purpose of this study is to prevent cyber crime in private company systems by applying secure coding and identify its problems. Three experiments were conducted. In Experiment 1, a security manager was participated and gave advise to the developer to follow secure coding guidelines. In Experiment 2, a security manager did not participate, but let the developer himself committed on secure coding. In Experiment 3, a security manager provided reports on weaknesses of each package source to the developer and the developer was only focused on source development. The research results showed that the participation of a security manager on development raised secure coding compliance rate and finished the project within a given periods. Furthermore, it was better to entrust a security manager with the task of following the secure coding guide than the developer, which raised secure coding compliance rate and achieved project objectives faster. Further implications were discussed.

• Journal of Korea Multimedia Society
• /
• v.15 no.11
• /
• pp.1349-1357
• /
• 2012

In recent years, security accidents which are becoming the socially hot issue not only cause financial damages but also raise outflow of private information. Most of the accidents have been immediately caused by the software weakness. Moreover, it is difficult for software today to assure reliability because they exchange data across the internet. In order to solve the software weakness, developing the secure software is the most effective way than to strengthen the security system for external environments. Therefore, suggests that the coding guide has emerged as a major security issue to eliminate vulnerabilities in the coding stage for the prevention of security accidents. Developers or administrators effectively in order to use secure coding coding secure full set of security weaknesses organized structurally and must be managed. And the constant need to update new information, but the existing Secure Coding and Security weakness is organized structurally do not. In this paper, we will define and introduce the structured weakness for mobile applications by the surveys of existing secure coding and coding rules for code analysis tools in Java.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.5
• /
• pp.1179-1189
• /
• 2012

We propose an improvement on the Guideline of Secure Software Development for Korea e-Government that is under revision by the Ministry of Public Administration and Security in 2012. We adopted a rule-oriented organization instead shifting from the current weakness-oriented one. The correspondence between the weakness and coding rules is identified. Also, added is the coverage of diagnostic tools over the rules to facilitate the usage by programmers during coding period When the proposed guideline is applied to secure software development, the weakness would be controlled indirectly by enforcing coding rules. Programmers responsibility would be limited to the compliance of the rules, while the current version implies that it is programmers responsibility to guarantee being free from the weakness, which is hard to achieve at reasonable cost.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2016.01a
• /
• pp.105-106
• /
• 2016

본 논문에서는 S/W 개발 보안 지침에서 설계 단계의 보안 코딩 지침을 알려준다. 크로스 사이트 스크립트 공격 취약점(XSS)에서부터 자원 삽입 까지 S/W 보안 취약점의 주요 내용을 입력 데이터의 검증 및 표현에 맞추어 지침을 전달하도록 한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.252-255
• /
• 2010

소프트웨어가 대형화되고 복잡해짐에 따라 소프트웨어에 내재하고 있는 소프트웨어 허점(weakness)의 발생률이 높다. 이런 허점은 컴파일러에 의해 탐지되지 않고, 공격자에 의해 발견되기 쉽다는 특징이 있기 때문에 소프트웨어 취약성을 야기한다. 스마트폰의 확산으로 인해 다양한 종류의 스마트폰 앱이 개발되고 있다. 이에 따라 스마트폰 앱이 대형화되고 복잡해지고 있으므로, 여기에 내재하는 소프트웨어 허점을 사전에 예방하는 것은 중요하다. 본 논문에서는 안드로이드 앱을 개발할 때, 소프트웨어 취약점을 야기하며, 개발자가 간과하기 쉬운 소프트웨어 허점을 사전에 제거하고자 안드로이드에 특화된 시큐어 코딩 가이드를 제시한다.

• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.4
• /
• pp.79-86
• /
• 2016

About 75% of software security incidents are caused by software vulnerability. In addition, the after-market repairing cost of the software is higher by more than 30 times than that in the design stage. In this background, the secure coding has been proposed as one of the ways to solve this kind of maintenance problems. Various institutions have addressed the weakness patterns of the standard software. A new Korean programming language Saesark has been proposed to resolve the security weakness on the language level. However, the previous study on Saesark can not resolve the security weakness caused by the API. This paper proposes a way to resolve the security weakness due to the API. It adopts a static analyzer inspecting dangerous methods. It classifies the dangerous methods of the API into two groups: the methods of using tainted data and those accepting in-flowing tainted data. It analyses the security weakness in four steps: searching for the dangerous methods, configuring a call graph, navigating a path between the method for in-flowing tainted data and that uses tainted data on the call graph, and reporting the security weakness detected. To measure the effectiveness of this method, two experiments have been performed on the new version of Saesark adopting the static analysis. The first experiment is the comparison of it with the previous version of Saesark according to the Java Secure Coding Guide. The second experiment is the comparison of the improved Saesark with FindBugs, a Java program vulnerability analysis tool. According to the result, the improved Saesark is 15% more safe than the previous version of Saesark and the F-measure of it 68%, which shows the improvement of 9% point compared to 59%, that of FindBugs.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.5
• /
• pp.945-950
• /
• 2017

Due to the vulnerability of the software, there is a hacking attack on the country's cyber infrastructure and real financial assets. Software is an integral part of the operating system and execution system that controls and operates Internet information provision, cyber financial settlement and cyber infrastructures. Analyzing these software vulnerabilities and enhancing security will enhance the security of cyber infrastructures and enhance the security of actual life in the actual country and people. Software development security system analysis and software development Security diagnosis analysis and research for enhancing security of software vulnerability. In addition, we will develop a textbook for the training of software vulnerability diagnosis and maintenance education, develop pilot test problems, pilot test of diagnostic staff, The purpose of this study is to enhance the software security of the cyber infrastructures of national and national life by presenting curriculum and diagnosis guide to train the software vulnerability examiner.