How the CC Harmonizes with Secure Software Development Lifecycle @ ICCC 2013 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
[Poster] Deep Learning Based Real-Time DNS DDoS Detection System @ ACSAC 2016 (The 32nd Annual Computer Security Applications Conference 2016), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Security, Availability and Integrity are top concerns around DNS. Infoblox Secure DNS
* provides a secure platform to host DNS services
* provides resilient DNS services even under attack ( like DNS DDoS, exploits )
* prevents data theft by malware/APT that uses DNS
* maintains DNS integrity that can otherwise be compromised by DNS hijacking
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
[Poster] Deep Learning Based Real-Time DNS DDoS Detection System @ ACSAC 2016 (The 32nd Annual Computer Security Applications Conference 2016), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Security, Availability and Integrity are top concerns around DNS. Infoblox Secure DNS
* provides a secure platform to host DNS services
* provides resilient DNS services even under attack ( like DNS DDoS, exploits )
* prevents data theft by malware/APT that uses DNS
* maintains DNS integrity that can otherwise be compromised by DNS hijacking
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
http://www.radware.com/Products/DefenseFlow/
Learn about the industry's first SDN application that enables network operators to program the network to provide DDoS protection as a native network service.
Presenter: Mikael Vingaard, EnergiNet.dk
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?
The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.
The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.
The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.
DNS is one of the fastest growing attack vectors and current security solutions don’t address DNS threats. Infoblox Advanced DNS Protection is a self-protecting DNS appliance that provides defense against widest range of attacks – enabling you to automatically defend your business from DNS threats.
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
Is DNS a Part of Your Cyber Security Strategy?
Detecting malware, helping to prevent and disrupt command and control communication, ransomware and phishing attacks, being part of a data loss prevention program– DNS can help with this and much more, but are you leveraging it as part of your security controls and processes? DNS is the perfect choke point to stop not just data exfiltration through it, but also detect and stop malware from spreading and executing.
In this session, you'll learn:
The value of DNS as part of your cyber strategy
How DNS can provide your SIEM with actionable intelligence
How DNS can add value to other security controls, such as vulnerability scanners and end point protection
Join Infoblox for a discussion on this often overlooked topic.
Developing a Protection Profile for Smart TVSeungjoo Kim
Developing a PP(Protection Profile) for Smart TV @ ICCC 2014 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation (September 9, 2014)
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
http://www.radware.com/Products/DefenseFlow/
Learn about the industry's first SDN application that enables network operators to program the network to provide DDoS protection as a native network service.
Presenter: Mikael Vingaard, EnergiNet.dk
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?
The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.
The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.
The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.
DNS is one of the fastest growing attack vectors and current security solutions don’t address DNS threats. Infoblox Advanced DNS Protection is a self-protecting DNS appliance that provides defense against widest range of attacks – enabling you to automatically defend your business from DNS threats.
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
Is DNS a Part of Your Cyber Security Strategy?
Detecting malware, helping to prevent and disrupt command and control communication, ransomware and phishing attacks, being part of a data loss prevention program– DNS can help with this and much more, but are you leveraging it as part of your security controls and processes? DNS is the perfect choke point to stop not just data exfiltration through it, but also detect and stop malware from spreading and executing.
In this session, you'll learn:
The value of DNS as part of your cyber strategy
How DNS can provide your SIEM with actionable intelligence
How DNS can add value to other security controls, such as vulnerability scanners and end point protection
Join Infoblox for a discussion on this often overlooked topic.
Developing a Protection Profile for Smart TVSeungjoo Kim
Developing a PP(Protection Profile) for Smart TV @ ICCC 2014 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation (September 9, 2014)
PP(Protection Profile) for E-Certificate Issuance System @ ICCC 2010 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Seungjoo Kim
"Using the CGC's Fully Automated Vulnerability Detection Tools in Security Evaluation and Its Effectiveness - Are Tools Good for Hackers Good for Security Evaluators? -" @ CODE BLUE 2016, Tokyo, Japan (October 20, 2016)
Problem and Improvement of the Composition Documents for Smart Card Composed ...Seungjoo Kim
Problem and Improvement of the Composition Documents for Smart Card Composed Product Evaluation @ ICCC 2013 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
DevSecOps: Integrating Security Into DevOps! {Business Security}Ajeet Singh
The key benefit of DevOps is speed and continuous delivery but with secure DevOps teams often suffer from the notion that there’s a tradeoff between security and speed. However, that is not the scenario always.
Prudent use of Security automation allows the teams to maintain both security and speed. The automated security testing makes the security consistent and less vulnerable to human errors. Shifting of the security practices left towards the design phase is a major advantage. It is a big achievement to catch the security loophole at the design or the development phase of a new feature. This is what DevSecOps tooling strategies aim at.
Check out this presentation and learn more about integrating security into DevOps with DevSecOps!
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
The license associated with the Belarc Advisor product allowsMikeEly930
The license associated with the Belarc Advisor product allows for free personal use only. Use on computers in a corporate, educational, military or government installation is prohibited. See the license agreement for details. The information on this page was created locally on your computer by the Belarc Advisor. Your computer profile was not sent to a web server. Click here for more info.
About Belarc Commercial and Government Products
Back to Profile Summary
Click any benchmark setting at right for documentation.
Why are security benchmarks important for IT security? Many current threats are not stopped by perimeter security systems such as firewall and anti-virus systems. Setting and monitoring configurations based on consensus benchmarks is a critical step because this is a pro-active way to avoid many successful attacks. The U.S. National Security Agency has found that configuring computers with proper security settings blocks 90% of the existing threats ("Security Benchmarks: A Gold Standard." IA Newsletter, vol. 5 no. 3 Click here to view) To request a copy of our white paper, "Securing the Enterprise", click here.
What is the USGCB Benchmark? The United States Government Configuration Baseline (USGCB) is a US Government OMB-mandated security configuration for Windows 7 and Internet Explorer 8. Developed by DoD, with NIST assistance, the benchmark is the product of DoD consensus. Click here for details.
What are FDCC Benchmarks? The Federal Desktop Core Configuration (FDCC) is a US Government OMB-mandated security configuration for Windows Vista and XP. The Windows Vista FDCC is based on DoD customization of the Microsoft Security Guides for both Windows Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide was produced through a collaborative effort with DISA, NSA, and NIST, reflecting the consensus recommended settings from DISA, NSA, and NIST. The Windows XP FDCC is based on US Air Force customization of the Specialized Security-Limited Functionality (SSLF) recommendations in NIST SP 800-68 and DoD customization of the recommendations in Microsoft's Security Guide for Internet Explorer 7.0. Click here for details.
What is the Security Benchmark Score? The Belarc Advisor has audited the security of your computer using a benchmark appropriate to your operating system. The result is a number between zero and ten that gives a measure of the vulnerability of your system to potential threats. The higher the number the less vulnerable your system.
How can you reduce your security vulnerability? The local group policy editor (accessed by running the gpedit.msc command) can be used to configure security settings for your computer. Windows home editions don't include that editor, but most security settings can also be made with registry entries instead. Warning: Applying these security settings may cause some applications to stop working correctly. Back up your system prior to applying these security te ...
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
Slides from training session "Chef's tour of the Security Adoption Framework" by Mark Simos at Tampa BSides training day on 5 April 2024
This session provides a view of end to end security following Zero Trust principles (and how Microsoft guides customers through this modernization journey)
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
Building security into software is harder than it should be. This article explores a way to align application security practices
with other software development best practices in order to make building security in easier to manage and more cost effective.
In particular, this article looks at combining continuous integration (CI) with security testing and secure static code analysis.
Module: EThICS 039.BG01E.09_SPA_Systemic View
Topic: SYSTEMS AND PRODUCTS ASSURANCE
Subject: SPA - Systems and Products Assurance: Systemic View
Scope:
PURPOSE OF THE MODULE
INTRODUCTION
Acronyms
Motivations for SPA, from Customers and Users
Motivations for SPA, from Developers and Manufacturers
Why Design for Reliability (DFR)?
The Paradigms for Design for Reliability (DFR)
The Risk of Thinking Only on Averages
Fig. 1: The (In)Visibility of the Total Costs
Fig. 2: Model of the Composition of the LCC
Technologies of SPA
Fig. 3: Requirements for Projects of Systems
Scope of Technologies and Specialties of RDI
Scope of Technologies and Specialties of SPA
Main Objectives of SPA
Some Benefits of the SPA Technologies
Major Difficulties of SPA
INTEGRATED VISION OF SPA
Motivations for the Integration of RDI and SPA
Fig. 4: Simultaneous and Proactive Engineering of RDI and SPA
Fig. 5: Elementary Cycle of Project Validation and Assurance
Fig. 6: Integrated Organization of RDI and SPA Specialties
Fig. 7: Initial Steps of RDI of Systems and Products
Fig. 8: Integrated Steps and Tasks of SCR
Fig. 9: Technologies of Research, Development and Innovation
Fig. 10: Responsibilities of Management of SPA - Integration
Responsibilities of Management of SPA - Budget
Responsibilities of Management of SPA - Risks
Management of Information and Knowledge of SPA
Fig. 11: Management of Information and Knowledge of RDI
Fig. 12: Programs e Plans of SPA for Projects
APPENDICES
References
EThICS Engineering - Services and Areas of Action
Understanding DevOps Security - Full GuideLency Korien
DevSecOps is a process of integrating security practices into the stages of the SDLC lifecycle. The DevSecOps(https://opstree.com/) process ensures that secure software is delivered to the production environment, without delaying security until the last stages of the Software Development Life Cycle (SDLC). This is where does DevSecOps fits into the SDLC phase.
You can check more info about:
DevOps Company In UAE ( https://opstree.com/ )
DevSecOps is a process of integrating security practices into the stages of the SDLC lifecycle. The DevSecOps(https://opstree.com/) process ensures that secure software is delivered to the production environment, without delaying security until the last stages of the Software Development Life Cycle (SDLC). This is where does DevSecOps fits into the SDLC phase.
You can check more info about:
devops solutions ( https://opstree.com/usa/ )
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
In the past 10 years, the research community has produced a significant number of design notations to
represent security properties and concepts in a design artifact. The need to improve the security of software
has become a key issue for developers.The security function needs to be incorporated into the software
development process at the requirement, analysis, design, and implementation stages as doing so may help
to smooth integration and to protect systems from attack. Security affects all aspects ofa software program,
which makes the incorporation of security features a crosscutting concern. Therefore, this paper looks at
the feasibility and potential advantages of employing an aspect orientation approach in the software
development lifecycle to ensure efficient integration of security.These notations are aimed at documenting
and analyzing security in a software design model. It also proposes a model called the Aspect-Oriented
Software Security Development Life Cycle (AOSSDLC), which covers arrange of security activities and
deliverables for each development stage. It is concluded that aspect orientation is one of the best options
available for installing security features not least because of the benefit that no changes need to be made to
the existing software structure.
Similar to How the CC Harmonizes with Secure Software Development Lifecycle (20)
[Blockchain and Cryptocurrency] 01. SyllabusSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...Seungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...Seungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto BlockchainSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 05. Ethereum and Smart ContractSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 06. NFT and MetaverseSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other AltcoinsSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 08. Dark CoinsSeungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...Seungjoo Kim
'Blockchain and Cryptocurrency' Subject @ Korea University, 2021
01. Syllabus
02. Blockchain Overview and Introduction - Technical Concepts of Blockchain Systems -
03. Blockchain's Theoretical Foundation, Cryptography
04. Bitcoin and Nakamoto Blockchain
05. Ethereum and Smart Contract
06. NFT and Metaverse
07. Cardano(ADA) and Other Altcoins
08. Dark Coins
09. Blockchain Usage Beyond Currency - Way to Design Good Blockchain Business Models -
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Seungjoo Kim
Even in this pandemic situation, thank you for making and running the HITCON 2021 so well. Thank you for giving me the chance to talk!
This presentation is revised by reinforcing Q&A. Look forward to seeing you offline next year!
Kid Blockchain - Everything You Need to Know - (Part 1)Seungjoo Kim
Kid Blockchain - Everything You Need to Know - (Part 1)
01. 화폐의 역사 : 금에서부터 간편결제에 이르기까지 ... 4P
02. 비트코인의 탄생 ... 27P
03. 비트코인과 블록체인의 세부 동작원리 ... 85P
04. 작업증명(PoW)이란? ... 158P
05. 비트코인과 블록체인이 당면한 기술적 문제 ... 171P
Application of the Common Criteria to Building Trustworthy Automotive SDLCSeungjoo Kim
Seungyeon Jeong, Sooyoung Kang, and Seungjoo Kim, "Application of the Common Criteria to Building Trustworthy Automotive SDLC", Proc. of The 19th ICCC 2020, The 19th International Common Criteria Conference, Virtual (online) Conference, November 16-18, 2020.
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
Sooyoung Kang, Seungyeon Jeong, and Seungjoo Kim, "Assurance-Level Driven Method for Integrating Security into SDLC Process”, Proc. of The 18th CCUF Workshop 2020, The 18th Common Criteria Users Forum Workshop, Virtual (online) Conference, November 12, 2020.
How South Korea Is Fighting North Korea's Cyber ThreatsSeungjoo Kim
Seungjoo Kim, "How South Korea Is Fighting North Korea's Cyber Threats", Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats, Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.
o 행 사 명 : 포스트코로나 시대의 ICT산업 미래전략포럼
o 일시/장소 : ‘20.5.22.(금) 10:00~16:30 / 에스팩토리(서울 성수동 소재)
o 주최/후원 : KAIT, KCA, IITP / SKT, KT, LGU+, LG전자 등
o 참 석 자 : 과기정통부 2차관, 정보통신산업정책관 및 ICT산업분야별 전문가 등
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
Verification of IVI Over-The-Air using UML/OCL @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Planning Of Procurement o different goods and services
How the CC Harmonizes with Secure Software Development Lifecycle
1. Howthe CC Harmonizes with
Secure SoftwareDevelopment Lifecycle
Sep. 11. 2013.
Jinseok Park(1st Author)
CIST(Center for Information Security
Technologies), Korea University
ilysoon7@korea.ac.kr
CIST(Center for Information Security
Technologies), Korea University
skim71@korea.ac.kr
Seungjoo Kim (Corresponding Author)
2. Overview
CC does not
cover with a
certified product’s
zero-day attack
after certifying it.
removing weaknesses
is very useful for time
and cost for zero-day
attack than removing
vulnerability Harmonize
the CC with the
Secure software
development
lifecycle.
Problems Motivations
Conclusion
Secure software
development
lifecycle can
minimize
weaknesses for
zero-day attack
CC focuses on
removing
vulnerabilities.
3. Contents
1. Definitions
2. Motivations
3. Problems
4. How to Fix It in a Nutshell
5. Our Methods in Detail
6. Analyses
7. How to Harmonize CC with SSDLC
8. Conclusion
9. References
4. 4
Definitions
(Software Security) Weakness
A type of mistake in software
Bugs, Errors
Can be aggravated to (software security)
vulnerabilities (i.e., Zero-day attacks)
(Software Security) Vulnerability
An occurrence of a weakness (or multiple
weaknesses) within software
Zero-day attack
Weakness is exploited by hackers before the
vendor becomes aware to fix it
5. 5
• S : The set of all software in existence at some point in time
• W : The set of all instance of software weaknesses in S
• Wd : The set of discovered software weaknesses in W
• Wcwe : The set of Identified with a CWE
• V : The set of all vulnerabilities in W
• Vd: The set of all discovered Vulnerabilities in V
• Vcve : The set of Identified with a CVE
<The relationship between weakness and vulnerability [8]>
Definitions
6. Motivations
Software bugs or errors are so detrimental that
they cost the U.S economy an estimated $59.5
billion annually. (GDP 0.6%)
Errors requirements/design stage cost 1X to
fix. But if it is not found until the post-product
release stage, it costs 30 times more to fix.
Requirements
Gathering
and Analysis/
Architectural
Design
Coding/Unit
Test
Integration
and
Component/RAIS
E System Test
Early Customer
Feedback/Beta
Test
Programs
Post-product
Release
1X 5X 10X 15X 30X
[Reference : 1]
7. Motivations
The top 10 software vendors have a patch remedy
rate of just over 94% of all vulnerabilities
disclosed.
But, 47% of all vulnerabilities disclosed in 2012
remain without a remedy.
A zero-day attack can still be thwarted by
properly-patched software.
But they are not cost and time effective!
Economically, many researchers have tried to
remove the vulnerability in software
To remove weaknesses is very useful for time
and cost.
[Reference : 2-7]
8. 8
Motivations
If we can remove weaknesses, vulnerabilities and
zero-day attack can also be removed.
Thus, we are interested in removing design stage's
and implementation stage's weaknesses.
It is very useful for time and cost to remove
weaknesses
9. Problems
The CC philosophy is that the threats to security
and organisational security policy commitments
should be clearly articulated and the proposed
security measures be demonstrably sufficient for
their intended purpose. [9]
CC focuses on removing vulnerabilities.
CC does not cover with a certified product’s zero-
day attack after certifying it.
10. How to Fix It in a Nutshell
Software Assurance
The level of confidence that software functions
as intended and is free of vulnerabilities, either
intentionally or unintentionally designed or
inserted as part of the software throughout the
life cycle.
Secure Software Development Lifecycle
Software Development Lifecycle + Software
Assurance
SSDLCs focus on removing weaknesses.
[Reference : 10]
11. CC and source code analysis tools are not rivals [11]
They find different types of vulnerabilities
If together, they can discover more common
vulnerabilities types
Design
CC
Security
Mechanisms
Other
Areas
Implementation
Weak Audit
I&A Vulnerabilities
Inconsistent Access Control
TOCTTOU
XSS
SQL Injection
Buffer Overflow
tools
How to Fix It in a Nutshell
12. Common
Criteria Version
3.1 Revision 4
SSDLC(MS-SDL
Version 5.2)
Common Weakness Enumeration
Version 2.4
Static Code
Analysis Tools
Based on CWE v2.4, CC v3.1, MS-SDL(one of the
famous SSDLCs), static code analysis tools.
Dynamic analysis tools can remove limited
weaknesses. [12]
How to Fix It in a Nutshell
13. Our Methods in Detail
MS-SDL(Microsoft-Security Development Lifecycle)
Software security assurance process
A mandatory policy since 2004
[Reference : 13-14]
14. Our Methods in Detail
MS-SDL helps you build software, that's more
secure by reducing the number and severity of
vulnerabilities in your code
[Reference : 13]
15. Our Methods in Detail
Consistent application of sound security practices
during all phases of a development project will
result in fewer vulnerabilities
[Reference : 14]
16. Our Methods in Detail
Static code analysis tools
Analyze source code and/or compiled version of
code in order to help find security flaws(weaknesses)
Certificate of CWE compatibility (5 product) [15]
CodeSonar, Covertiy Quality Advisor/Security
Advisor, HP Fortify Static Code Analyzer, Klocwork
Insight
17. Our Methods in Detail
Four different areas :
1. Design(CWE-701)
2. Implementation(CWE-702)
3. Security mechanisms(CWE-254)
4. Other parts(non-security mechanisms)
18. Our Methods in Detail
View : 29 entries
Category : 176 entries
Weakness – Class : 88 entries
Weakness – Base : 330 entries
Weakness – Variant : 276 entries
Compound Element – Composite : 6 entries
Compound Element – Named Chain : 3 entries
Deprecated : 12 entries
Selected 703 entries
Total weaknesses: 920 entries, 8 types
19. Our Methods in Detail
Rank
CWE
Type
CWE-ID : Name
Des
ign
Imple
ment
ation
Secu
rity
Mec
hanis
ms
Static
Code
Analy
sis
Tools
C
V
E
Ent
ry
MS-SDL CC
Des
ign
Im
ple
me
ntat
ion
Veri
fica
tion
SFR SAR
1 Base CWE-89 : SQL Injection ○ ○ ○ 7 ○ ○ ○ ○
2 Base CWE-78 : OS Command Injection ○ ○ ○ 10 ○ ○ ○ ○
3 Base CWE-120 : Classic Buffer Overflow ○ ○ 5 ○ ○ ○ ○
4 Base CWE-79 : Cross-site Scripting ○ ○ ○ 11 ○ ○ ○ ○
5 Variant CWE-306 : Missing Authentication for Critical Function ○ ○ 3 ○ ○ ○ ○ ○
6 Class CWE-862 : Missing Authorization ○ ○ 19 ○ ○ ○ ○ ○
7 Base CWE-798 : Use of Hard-coded Credentials ○ ○ 10 ○ ○ ○
8 Base CWE-311 : Missing Encryption of Sensitive Data ○ ○ ○ 20 ○ ○ ○ ○
9 Base CWE-434 : Unrestricted Upload of File with Dangerous Type ○ ○ 10 ○ ○ ○
10 Base CWE-807 : Reliance on Untrusted Inputs in a Security Decision ○ ○ ○ 5 ○ ○ ○ ○
For example, CWE/SANS TOP 25
[Reference : 16]
20. Our Methods in Detail
11 Class CWE-250 : Execution with Unnecessary Privileges ○ ○ ○ 7 ○ ○ ○ ○ ○
12 Composite CWE-352 : Cross-Site Request Forgery(CSRF) ○ 10 ○ ○ ○ ○
13 Class CWE-22 : Path Traversal ○ ○ ○ 11 ○ ○ ○ ○
14 Base CWE-494 : Download of Code Without Integrity Check ○ ○ 4 ○ ○ ○ ○
15 Class CWE-863 : Incorrect Authorization ○ ○ 9 ○ ○ ○ ○ ○
16 Class CWE-829 : Inclusion of Functionality from Untrusted Control Sphere 20 ○ ○ ○ ○ ○
17 Class CWE-732 : Incorrect Permission Assignment for Critical Resource ○ ○ ○ 17 ○ ○ ○ ○ ○
18 Base CWE-676 : Use of Potentially Dangerous Function ○ ○ ○ 6 ○ ○
19 Base CWE-327 : Use of a Broken or Risky Cryptographic Algorithm ○ ○ 8 ○ ○ ○
20 Base CWE-131 : Incorrect Calculation of Buffer Size ○ ○ 14 ○ ○ ○ ○
21 Base CWE-307 : Improper Restriction of Excessive Authentication Attempts ○ ○ 6 ○ ○ ○ ○ ○
22 Variant CWE-601 : Open Redirect ○ ○ 3 ○ ○ ○ ○ ○
23 Base CWE-134 : Uncontrolled Format String ○ ○ 6 ○ ○ ○ ○
24 Base CWE-190 : Integer Overflow or Wraparound ○ ○ 6 ○ ○ ○ ○
25 Base CWE-759 : Use of a One-Way Hash without a Salt 2 ○ ○ ○
For example, CWE/SANS TOP 25
27. How to Harmonize CC with SSDLC
SSDLC Process Practice
CC
Security Assurance
Requirements
1.Training Core Security Training ALC_DVS
2.Requirements
Establish Security and Privacy Requirements, Create Quality Gates/Bug Bars,
Perform Security and Privacy Risk Assessments
ASE
ALC_TAT
AVA
3.Design
Establish Design Requirements, Attack Surface Analysis/Reduction, Use
Threat Modeling
ADV
AVA
4.Implementation Use Approved Tools, Deprecate Unsafe Functions, Perform Static Analysis
ATE
ADV_IMP
5.Verfication Perform Dynamic Analysis, Fuzz Testing, Attack Surface Review ATE
6.Release/Response
Create an Incident Response Plan, Conduct Final Security Review, Certify
Release and Archive, Execute Incident Response Plan
AGD
ALC_CMC
AVA
Proposed Security Assurance Requirements(SAR)
Now CC + SSDLC’s practice
28. Conclusion
The CC and the SSDLC are similar methodologies
for removing vulnerabilities.
But they find different types of vulnerabilities.
Static code analysis tools can help removing
weaknesses in CC
The CC and the SSDLC are not competitors. Rather,
they are complements.
29. References
1. Gregory Tassey, Ph.D, “The Economic Impact of Inadequate Infrastructure for software Testing,
Planning Report”, 02-3, NIST, May 2002.
2. Paul Wood, “Closing The Window Of Vulnerability: Exploits And Zero-Day Attacks”, Internet security
Threat report”, vol. 17, Symantec, Apr. 2012.
3. Brian McGee, “Vulnerabilities in enterprise software”, IBM X-Force 2012 Mid-year Trend and Risk
Report, Sep. 2012.
4. Gerhard Eschelbeck, “Systems and software threats”, Security Threat Report, Sophos, Jan. 2012.
5. Theresa Lanowitz, “Now Is the Time for Security at the Application Level”, Gartner, Dec. 2005.
6. Joe Jarzombek, “Software Assurance: Enabling Security and Resilience throughout the Software
Lifecycle”, MITRE, Nov. 2012.
7. U.S Department of Homeland Security Web page: https://buildsecurityin.us-cert.gov/swa/forums-
and-working-groups/processes-and-practices/swa-capability-benchmarking
8. Richard Struse, “Software Assurance-Making the Software Ecosystem Rugged”, ICSJWG, Oct. 2011.
9. Common Criteria Recognition Arrangement, “Common Criteria for Information Technology Security
Evaluation Version 3.1 Revision 4”, Sep. 2012.
10. U.S Department of Homeland Security Web page: https://buildsecurityin.us-cert.gov/swa/process-
view/overview
11. Adam O'Brien, “Common Criteria and Source Code Analysis Tools: Competitors or Complement”,
International Common Criteria Conferences 9th, Sep. 2010.
12. B. Chess and C. McGraw, “Static analysis for security,” IEEE Security & Privacy, vol. 2, no. 6, pp. 76~79,
Nov. 2004.
13. Jeff Jones, “Microsoft products: Vulnerabilities reduction after SDL implementation”, Microsoft
Security Blog and Microsoft TechNet Security Blog, Jan. 2008.
14. “Basics of Secure Design Development Test : Secure Software Made Easier”, Microsoft, 2008.
15. Common Weakness Enumeration(CWE) web page : Assessment and Remediation Tool,
http://cwe.mitre.org/compatible/category.html, Jun. 2013.
16. MITRE, “2011 CWE/SANS Top 25 Most Dangerous Software Errors”, Sep. 2011.
31. Jinseok Park
E-mail : ilysoon7@korea.ac.kr
Facebook : @ilysoon7
Jinseok Park received his B.S. (2010) in computer science from Soongsil University in Korea. also, , He
served as electronic signature and authentication Team of the Korea Information Security Agency
(KISA) for 1 years. Now he is enroll in the M.S. at Korea University. His research interests include
security evaluation, information security and online social network service security. He has many
certificates(CISSP, CISA, Security Product Evaluator, CPPG, Information Processing Engineer)
32. Seungjoo Kim (Corresponding Author)
E-mail : skim71@korea.ac.kr
Homepage : www.kimlab.net
Facebook, Twitter : @skim71
Prof. Seungjoo Kim received his B.S. (1994), M.S. (1996), and Ph.D. (1999) in information engineering
from Sungkyunkwan University (SKKU) in Korea. Prior to joining the faculty at Korea University (KU)
in 2011, He served as Assistant & Associate Professor of School of Information and Communication
Engineering at SKKU for 7 years. Before that, He served as Director of the Cryptographic Technology
Team and the (CC-based) IT Security Evaluation Team of the Korea Information Security Agency (KISA)
for 5 years. Now he is Full Professor of Graduate School of Information Security at KU, and a
member of KU's Center for Information Security Technologies (CIST). Also, He has served as an
executive committee member of Korean E-Government, and advisory committee members of several
public and private organizations such as National Intelligence Service of Korea, Digital Investigation
Advisory Committee of Supreme Prosecutors' Office, Ministry of Justice, The Bank of Korea,
ETRI(Electronic and Telecommunication Research Institute), and KISA, etc. His research interests
include cryptography, information security and information assurance.
33. The corresponding author (Seungjoo Kim) acknowledges the support of the
IT R&D program (10043959, Development of EAL 4 level military fusion
security solution for protecting against unauthorized accesses and ensuring a
trusted execution environment in mobile devices) of KEIT/MOTIE and
MSIP(Ministry of Science, ICT & Future Planning), Korea, under the
ITRC(Information Technology Research Center) support program (NIPA-2013-
H0301-13-1003) supervised by the NIPA(National IT Industry Promotion
Agency)