SlideShare a Scribd company logo
1 of 33
Howthe CC Harmonizes with
Secure SoftwareDevelopment Lifecycle
Sep. 11. 2013.
Jinseok Park(1st Author)
CIST(Center for Information Security
Technologies), Korea University
ilysoon7@korea.ac.kr
CIST(Center for Information Security
Technologies), Korea University
skim71@korea.ac.kr
Seungjoo Kim (Corresponding Author)
Overview
CC does not
cover with a
certified product’s
zero-day attack
after certifying it.
removing weaknesses
is very useful for time
and cost for zero-day
attack than removing
vulnerability Harmonize
the CC with the
Secure software
development
lifecycle.
Problems Motivations
Conclusion
Secure software
development
lifecycle can
minimize
weaknesses for
zero-day attack
CC focuses on
removing
vulnerabilities.
Contents
1. Definitions
2. Motivations
3. Problems
4. How to Fix It in a Nutshell
5. Our Methods in Detail
6. Analyses
7. How to Harmonize CC with SSDLC
8. Conclusion
9. References
4
Definitions
 (Software Security) Weakness
 A type of mistake in software
 Bugs, Errors
 Can be aggravated to (software security)
vulnerabilities (i.e., Zero-day attacks)
 (Software Security) Vulnerability
 An occurrence of a weakness (or multiple
weaknesses) within software
 Zero-day attack
 Weakness is exploited by hackers before the
vendor becomes aware to fix it
5
• S : The set of all software in existence at some point in time
• W : The set of all instance of software weaknesses in S
• Wd : The set of discovered software weaknesses in W
• Wcwe : The set of Identified with a CWE
• V : The set of all vulnerabilities in W
• Vd: The set of all discovered Vulnerabilities in V
• Vcve : The set of Identified with a CVE
<The relationship between weakness and vulnerability [8]>
Definitions
Motivations
 Software bugs or errors are so detrimental that
they cost the U.S economy an estimated $59.5
billion annually. (GDP 0.6%)
 Errors requirements/design stage cost 1X to
fix. But if it is not found until the post-product
release stage, it costs 30 times more to fix.
Requirements
Gathering
and Analysis/
Architectural
Design
Coding/Unit
Test
Integration
and
Component/RAIS
E System Test
Early Customer
Feedback/Beta
Test
Programs
Post-product
Release
1X 5X 10X 15X 30X
[Reference : 1]
Motivations
 The top 10 software vendors have a patch remedy
rate of just over 94% of all vulnerabilities
disclosed.
 But, 47% of all vulnerabilities disclosed in 2012
remain without a remedy.
 A zero-day attack can still be thwarted by
properly-patched software.
 But they are not cost and time effective!
 Economically, many researchers have tried to
remove the vulnerability in software
 To remove weaknesses is very useful for time
and cost.
[Reference : 2-7]
8
Motivations
 If we can remove weaknesses, vulnerabilities and
zero-day attack can also be removed.
 Thus, we are interested in removing design stage's
and implementation stage's weaknesses.
 It is very useful for time and cost to remove
weaknesses
Problems
 The CC philosophy is that the threats to security
and organisational security policy commitments
should be clearly articulated and the proposed
security measures be demonstrably sufficient for
their intended purpose. [9]
 CC focuses on removing vulnerabilities.
 CC does not cover with a certified product’s zero-
day attack after certifying it.
How to Fix It in a Nutshell
 Software Assurance
 The level of confidence that software functions
as intended and is free of vulnerabilities, either
intentionally or unintentionally designed or
inserted as part of the software throughout the
life cycle.
 Secure Software Development Lifecycle
 Software Development Lifecycle + Software
Assurance
 SSDLCs focus on removing weaknesses.
[Reference : 10]
 CC and source code analysis tools are not rivals [11]
 They find different types of vulnerabilities
 If together, they can discover more common
vulnerabilities types
Design
CC
Security
Mechanisms
Other
Areas
Implementation
Weak Audit
I&A Vulnerabilities
Inconsistent Access Control
TOCTTOU
XSS
SQL Injection
Buffer Overflow
tools
How to Fix It in a Nutshell
Common
Criteria Version
3.1 Revision 4
SSDLC(MS-SDL
Version 5.2)
Common Weakness Enumeration
Version 2.4
Static Code
Analysis Tools
 Based on CWE v2.4, CC v3.1, MS-SDL(one of the
famous SSDLCs), static code analysis tools.
 Dynamic analysis tools can remove limited
weaknesses. [12]
How to Fix It in a Nutshell
Our Methods in Detail
 MS-SDL(Microsoft-Security Development Lifecycle)
 Software security assurance process
 A mandatory policy since 2004
[Reference : 13-14]
Our Methods in Detail
 MS-SDL helps you build software, that's more
secure by reducing the number and severity of
vulnerabilities in your code
[Reference : 13]
Our Methods in Detail
 Consistent application of sound security practices
during all phases of a development project will
result in fewer vulnerabilities
[Reference : 14]
Our Methods in Detail
 Static code analysis tools
 Analyze source code and/or compiled version of
code in order to help find security flaws(weaknesses)
 Certificate of CWE compatibility (5 product) [15]
 CodeSonar, Covertiy Quality Advisor/Security
Advisor, HP Fortify Static Code Analyzer, Klocwork
Insight
Our Methods in Detail
 Four different areas :
1. Design(CWE-701)
2. Implementation(CWE-702)
3. Security mechanisms(CWE-254)
4. Other parts(non-security mechanisms)
Our Methods in Detail
View : 29 entries
Category : 176 entries
Weakness – Class : 88 entries
Weakness – Base : 330 entries
Weakness – Variant : 276 entries
Compound Element – Composite : 6 entries
Compound Element – Named Chain : 3 entries
Deprecated : 12 entries
Selected 703 entries
 Total weaknesses: 920 entries, 8 types
Our Methods in Detail
Rank
CWE
Type
CWE-ID : Name
Des
ign
Imple
ment
ation
Secu
rity
Mec
hanis
ms
Static
Code
Analy
sis
Tools
C
V
E
Ent
ry
MS-SDL CC
Des
ign
Im
ple
me
ntat
ion
Veri
fica
tion
SFR SAR
1 Base CWE-89 : SQL Injection ○ ○ ○ 7 ○ ○ ○ ○
2 Base CWE-78 : OS Command Injection ○ ○ ○ 10 ○ ○ ○ ○
3 Base CWE-120 : Classic Buffer Overflow ○ ○ 5 ○ ○ ○ ○
4 Base CWE-79 : Cross-site Scripting ○ ○ ○ 11 ○ ○ ○ ○
5 Variant CWE-306 : Missing Authentication for Critical Function ○ ○ 3 ○ ○ ○ ○ ○
6 Class CWE-862 : Missing Authorization ○ ○ 19 ○ ○ ○ ○ ○
7 Base CWE-798 : Use of Hard-coded Credentials ○ ○ 10 ○ ○ ○
8 Base CWE-311 : Missing Encryption of Sensitive Data ○ ○ ○ 20 ○ ○ ○ ○
9 Base CWE-434 : Unrestricted Upload of File with Dangerous Type ○ ○ 10 ○ ○ ○
10 Base CWE-807 : Reliance on Untrusted Inputs in a Security Decision ○ ○ ○ 5 ○ ○ ○ ○
 For example, CWE/SANS TOP 25
[Reference : 16]
Our Methods in Detail
11 Class CWE-250 : Execution with Unnecessary Privileges ○ ○ ○ 7 ○ ○ ○ ○ ○
12 Composite CWE-352 : Cross-Site Request Forgery(CSRF) ○ 10 ○ ○ ○ ○
13 Class CWE-22 : Path Traversal ○ ○ ○ 11 ○ ○ ○ ○
14 Base CWE-494 : Download of Code Without Integrity Check ○ ○ 4 ○ ○ ○ ○
15 Class CWE-863 : Incorrect Authorization ○ ○ 9 ○ ○ ○ ○ ○
16 Class CWE-829 : Inclusion of Functionality from Untrusted Control Sphere 20 ○ ○ ○ ○ ○
17 Class CWE-732 : Incorrect Permission Assignment for Critical Resource ○ ○ ○ 17 ○ ○ ○ ○ ○
18 Base CWE-676 : Use of Potentially Dangerous Function ○ ○ ○ 6 ○ ○
19 Base CWE-327 : Use of a Broken or Risky Cryptographic Algorithm ○ ○ 8 ○ ○ ○
20 Base CWE-131 : Incorrect Calculation of Buffer Size ○ ○ 14 ○ ○ ○ ○
21 Base CWE-307 : Improper Restriction of Excessive Authentication Attempts ○ ○ 6 ○ ○ ○ ○ ○
22 Variant CWE-601 : Open Redirect ○ ○ 3 ○ ○ ○ ○ ○
23 Base CWE-134 : Uncontrolled Format String ○ ○ 6 ○ ○ ○ ○
24 Base CWE-190 : Integer Overflow or Wraparound ○ ○ 6 ○ ○ ○ ○
25 Base CWE-759 : Use of a One-Way Hash without a Salt 2 ○ ○ ○
 For example, CWE/SANS TOP 25
Analyses
(110)
<387>
(75)
<241>
(523)
<1522>
(260)
<891>
(Total CWE)
<Total CVE>
Design
Implementation
Non-Security
Mechanism
Security
Mechanism
 Divided into four areas(Design, Implementation, Security
mechanism, Non-Security mechanism)
 Distribution of weakness and vulnerabilities in each area
Analyses - CC -
110<387>
240<857>
73<241>
481<1458>
※ CWE<CVE>
CC
Design
Implementation
Non-Security
Mechanism
Security
Mechanism
103<335>208<734>
70<233>456<1355>
※ CWE<CVE>
MS-
SDL
Design
Implementation
Non-Security
Mechanism
Security
Mechanism
Analyses - MS-SDL -
Analyses - CC and MS-SDL -
11<20>
9
<14>
43
<143>
7<52>
4
<8>
1<0>12<19>
30<45>
55
<148>
103<335>197<714>
69<233>
426<1310>
1
<0>
※ CWE<CVE>
MS-
SDL
CC
Design
Implementation
Non-Security
Mechanism
Security
Mechanism
Analyses - Static Code Analysis Tools -
Static Code
Analysis Tools
14<26>
161<461>
69<287>
19<40>
※ CWE<CVE>
Design
Implementation
Non-Security
Mechanism
Security
Mechanism
Analyses - CC & Static Code Analysis Tools -
84<295>
139<447>
56<207>295<894>
※ CWE<CVE>
14<26>
161<461>
69<287>
19<40>
Design
Implementation
Non-Security
Mechanism
Security
Mechanism
Static Code
Analysis Tools
MS-
SDL
How to Harmonize CC with SSDLC
SSDLC Process Practice
CC
Security Assurance
Requirements
1.Training Core Security Training ALC_DVS
2.Requirements
Establish Security and Privacy Requirements, Create Quality Gates/Bug Bars,
Perform Security and Privacy Risk Assessments
ASE
ALC_TAT
AVA
3.Design
Establish Design Requirements, Attack Surface Analysis/Reduction, Use
Threat Modeling
ADV
AVA
4.Implementation Use Approved Tools, Deprecate Unsafe Functions, Perform Static Analysis
ATE
ADV_IMP
5.Verfication Perform Dynamic Analysis, Fuzz Testing, Attack Surface Review ATE
6.Release/Response
Create an Incident Response Plan, Conduct Final Security Review, Certify
Release and Archive, Execute Incident Response Plan
AGD
ALC_CMC
AVA
 Proposed Security Assurance Requirements(SAR)
 Now CC + SSDLC’s practice
Conclusion
 The CC and the SSDLC are similar methodologies
for removing vulnerabilities.
 But they find different types of vulnerabilities.
 Static code analysis tools can help removing
weaknesses in CC
 The CC and the SSDLC are not competitors. Rather,
they are complements.
References
1. Gregory Tassey, Ph.D, “The Economic Impact of Inadequate Infrastructure for software Testing,
Planning Report”, 02-3, NIST, May 2002.
2. Paul Wood, “Closing The Window Of Vulnerability: Exploits And Zero-Day Attacks”, Internet security
Threat report”, vol. 17, Symantec, Apr. 2012.
3. Brian McGee, “Vulnerabilities in enterprise software”, IBM X-Force 2012 Mid-year Trend and Risk
Report, Sep. 2012.
4. Gerhard Eschelbeck, “Systems and software threats”, Security Threat Report, Sophos, Jan. 2012.
5. Theresa Lanowitz, “Now Is the Time for Security at the Application Level”, Gartner, Dec. 2005.
6. Joe Jarzombek, “Software Assurance: Enabling Security and Resilience throughout the Software
Lifecycle”, MITRE, Nov. 2012.
7. U.S Department of Homeland Security Web page: https://buildsecurityin.us-cert.gov/swa/forums-
and-working-groups/processes-and-practices/swa-capability-benchmarking
8. Richard Struse, “Software Assurance-Making the Software Ecosystem Rugged”, ICSJWG, Oct. 2011.
9. Common Criteria Recognition Arrangement, “Common Criteria for Information Technology Security
Evaluation Version 3.1 Revision 4”, Sep. 2012.
10. U.S Department of Homeland Security Web page: https://buildsecurityin.us-cert.gov/swa/process-
view/overview
11. Adam O'Brien, “Common Criteria and Source Code Analysis Tools: Competitors or Complement”,
International Common Criteria Conferences 9th, Sep. 2010.
12. B. Chess and C. McGraw, “Static analysis for security,” IEEE Security & Privacy, vol. 2, no. 6, pp. 76~79,
Nov. 2004.
13. Jeff Jones, “Microsoft products: Vulnerabilities reduction after SDL implementation”, Microsoft
Security Blog and Microsoft TechNet Security Blog, Jan. 2008.
14. “Basics of Secure Design Development Test : Secure Software Made Easier”, Microsoft, 2008.
15. Common Weakness Enumeration(CWE) web page : Assessment and Remediation Tool,
http://cwe.mitre.org/compatible/category.html, Jun. 2013.
16. MITRE, “2011 CWE/SANS Top 25 Most Dangerous Software Errors”, Sep. 2011.
Thank you
ilysoon7@korea.ac.kr
Jinseok Park
E-mail : ilysoon7@korea.ac.kr
Facebook : @ilysoon7
Jinseok Park received his B.S. (2010) in computer science from Soongsil University in Korea. also, , He
served as electronic signature and authentication Team of the Korea Information Security Agency
(KISA) for 1 years. Now he is enroll in the M.S. at Korea University. His research interests include
security evaluation, information security and online social network service security. He has many
certificates(CISSP, CISA, Security Product Evaluator, CPPG, Information Processing Engineer)
Seungjoo Kim (Corresponding Author)
E-mail : skim71@korea.ac.kr
Homepage : www.kimlab.net
Facebook, Twitter : @skim71
Prof. Seungjoo Kim received his B.S. (1994), M.S. (1996), and Ph.D. (1999) in information engineering
from Sungkyunkwan University (SKKU) in Korea. Prior to joining the faculty at Korea University (KU)
in 2011, He served as Assistant & Associate Professor of School of Information and Communication
Engineering at SKKU for 7 years. Before that, He served as Director of the Cryptographic Technology
Team and the (CC-based) IT Security Evaluation Team of the Korea Information Security Agency (KISA)
for 5 years. Now he is Full Professor of Graduate School of Information Security at KU, and a
member of KU's Center for Information Security Technologies (CIST). Also, He has served as an
executive committee member of Korean E-Government, and advisory committee members of several
public and private organizations such as National Intelligence Service of Korea, Digital Investigation
Advisory Committee of Supreme Prosecutors' Office, Ministry of Justice, The Bank of Korea,
ETRI(Electronic and Telecommunication Research Institute), and KISA, etc. His research interests
include cryptography, information security and information assurance.
The corresponding author (Seungjoo Kim) acknowledges the support of the
IT R&D program (10043959, Development of EAL 4 level military fusion
security solution for protecting against unauthorized accesses and ensuring a
trusted execution environment in mobile devices) of KEIT/MOTIE and
MSIP(Ministry of Science, ICT & Future Planning), Korea, under the
ITRC(Information Technology Research Center) support program (NIPA-2013-
H0301-13-1003) supervised by the NIPA(National IT Industry Promotion
Agency)

More Related Content

What's hot

New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
 
Ip Guardian customer presentation
Ip Guardian customer presentationIp Guardian customer presentation
Ip Guardian customer presentationacaiani
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk   network forensics and its role and scope(130511) #fitalk   network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Low Priced And Efficient Energy Replica Detection In WSN
Low Priced And Efficient Energy Replica Detection In WSNLow Priced And Efficient Energy Replica Detection In WSN
Low Priced And Efficient Energy Replica Detection In WSNIRJET Journal
 

What's hot (19)

New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
 
Ip Guardian customer presentation
Ip Guardian customer presentationIp Guardian customer presentation
Ip Guardian customer presentation
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk   network forensics and its role and scope(130511) #fitalk   network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
1766 1770
1766 17701766 1770
1766 1770
 
D do s
D do sD do s
D do s
 
Lec 1 apln security(4pd)
Lec  1 apln security(4pd)Lec  1 apln security(4pd)
Lec 1 apln security(4pd)
 
ACS-2010
ACS-2010ACS-2010
ACS-2010
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
DDOS
DDOSDDOS
DDOS
 
Low Priced And Efficient Energy Replica Detection In WSN
Low Priced And Efficient Energy Replica Detection In WSNLow Priced And Efficient Energy Replica Detection In WSN
Low Priced And Efficient Energy Replica Detection In WSN
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 

Viewers also liked

Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVSeungjoo Kim
 
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -Seungjoo Kim
 
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)Seungjoo Kim
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
PP for E-Certificate Issuance System
PP for E-Certificate Issuance SystemPP for E-Certificate Issuance System
PP for E-Certificate Issuance SystemSeungjoo Kim
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Seungjoo Kim
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVSeungjoo Kim
 
Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...Seungjoo Kim
 
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие  2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 полугодие  2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 годаАлексей Арешев
 
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал  2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 квартал  2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 годаАлексей Арешев
 
Writing the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New ZealandWriting the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New ZealandMartin McMorrow
 

Viewers also liked (14)

Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TV
 
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -성균인으로 사는 법 - 방황하고 있는 후배님들께 -
성균인으로 사는 법 - 방황하고 있는 후배님들께 -
 
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
PP for E-Certificate Issuance System
PP for E-Certificate Issuance SystemPP for E-Certificate Issuance System
PP for E-Certificate Issuance System
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TV
 
Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...Problem and Improvement of the Composition Documents for Smart Card Composed ...
Problem and Improvement of the Composition Documents for Smart Card Composed ...
 
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие  2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 полугодие  2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 полугодие 2016 года
 
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал  2016 годаИсполнение бюджета Гапкинского сельского поселения за 1 квартал  2016 года
Исполнение бюджета Гапкинского сельского поселения за 1 квартал 2016 года
 
Sketch root locus
Sketch root locusSketch root locus
Sketch root locus
 
Writing the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New ZealandWriting the report for doctoral confirmation at Massey University, New Zealand
Writing the report for doctoral confirmation at Massey University, New Zealand
 
іс тәжірибе
іс тәжірибеіс тәжірибе
іс тәжірибе
 
алгебра 8 (рабочая тетрадь)
алгебра 8 (рабочая тетрадь)алгебра 8 (рабочая тетрадь)
алгебра 8 (рабочая тетрадь)
 

Similar to How the CC Harmonizes with Secure Software Development Lifecycle

Comparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsComparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsIRJET Journal
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}Ajeet Singh
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
The license associated with the Belarc Advisor product allows
 The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allowsMikeEly930
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CICoveros, Inc.
 
SPA - Systems and Products Assurance: Systemic View
SPA - Systems and Products Assurance: Systemic ViewSPA - Systems and Products Assurance: Systemic View
SPA - Systems and Products Assurance: Systemic ViewAntonio Sallum Librelato
 
Understanding DevOps Security - Full Guide
Understanding DevOps Security - Full GuideUnderstanding DevOps Security - Full Guide
Understanding DevOps Security - Full GuideLency Korien
 
understanding devops security - DevSecOps
understanding devops security - DevSecOpsunderstanding devops security - DevSecOps
understanding devops security - DevSecOpsAnshulkichara3
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSSECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
 

Similar to How the CC Harmonizes with Secure Software Development Lifecycle (20)

Comparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsComparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC Models
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
The license associated with the Belarc Advisor product allows
 The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allows
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
 
SPA - Systems and Products Assurance: Systemic View
SPA - Systems and Products Assurance: Systemic ViewSPA - Systems and Products Assurance: Systemic View
SPA - Systems and Products Assurance: Systemic View
 
Understanding DevOps Security - Full Guide
Understanding DevOps Security - Full GuideUnderstanding DevOps Security - Full Guide
Understanding DevOps Security - Full Guide
 
understanding devops security - DevSecOps
understanding devops security - DevSecOpsunderstanding devops security - DevSecOps
understanding devops security - DevSecOps
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSSECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
 

More from Seungjoo Kim

블록체인의 본질과 동작 원리
블록체인의 본질과 동작 원리블록체인의 본질과 동작 원리
블록체인의 본질과 동작 원리Seungjoo Kim
 
[Blockchain and Cryptocurrency] 01. Syllabus
[Blockchain and Cryptocurrency] 01. Syllabus[Blockchain and Cryptocurrency] 01. Syllabus
[Blockchain and Cryptocurrency] 01. SyllabusSeungjoo Kim
 
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...Seungjoo Kim
 
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...Seungjoo Kim
 
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto BlockchainSeungjoo Kim
 
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
[Blockchain and Cryptocurrency] 05. Ethereum and Smart ContractSeungjoo Kim
 
[Blockchain and Cryptocurrency] 06. NFT and Metaverse
[Blockchain and Cryptocurrency] 06. NFT and Metaverse[Blockchain and Cryptocurrency] 06. NFT and Metaverse
[Blockchain and Cryptocurrency] 06. NFT and MetaverseSeungjoo Kim
 
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other AltcoinsSeungjoo Kim
 
[Blockchain and Cryptocurrency] 08. Dark Coins
[Blockchain and Cryptocurrency] 08. Dark Coins[Blockchain and Cryptocurrency] 08. Dark Coins
[Blockchain and Cryptocurrency] 08. Dark CoinsSeungjoo Kim
 
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...Seungjoo Kim
 
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Seungjoo Kim
 
Kid Blockchain - Everything You Need to Know - (Part 2)
Kid Blockchain - Everything You Need to Know - (Part 2)Kid Blockchain - Everything You Need to Know - (Part 2)
Kid Blockchain - Everything You Need to Know - (Part 2)Seungjoo Kim
 
Kid Blockchain - Everything You Need to Know - (Part 1)
Kid Blockchain - Everything You Need to Know - (Part 1)Kid Blockchain - Everything You Need to Know - (Part 1)
Kid Blockchain - Everything You Need to Know - (Part 1)Seungjoo Kim
 
Application of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCApplication of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCSeungjoo Kim
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
 
How South Korea Is Fighting North Korea's Cyber Threats
How South Korea Is Fighting North Korea's Cyber ThreatsHow South Korea Is Fighting North Korea's Cyber Threats
How South Korea Is Fighting North Korea's Cyber ThreatsSeungjoo Kim
 
Blockchain for Cyber Defense: Will It Be As Good As You Think?
Blockchain for Cyber Defense: Will It Be As Good As You Think?Blockchain for Cyber Defense: Will It Be As Good As You Think?
Blockchain for Cyber Defense: Will It Be As Good As You Think?Seungjoo Kim
 
Post-Coronavirus 시대 보안 패러다임의 변화
Post-Coronavirus 시대 보안 패러다임의 변화Post-Coronavirus 시대 보안 패러다임의 변화
Post-Coronavirus 시대 보안 패러다임의 변화Seungjoo Kim
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
Verification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLVerification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
 

More from Seungjoo Kim (20)

블록체인의 본질과 동작 원리
블록체인의 본질과 동작 원리블록체인의 본질과 동작 원리
블록체인의 본질과 동작 원리
 
[Blockchain and Cryptocurrency] 01. Syllabus
[Blockchain and Cryptocurrency] 01. Syllabus[Blockchain and Cryptocurrency] 01. Syllabus
[Blockchain and Cryptocurrency] 01. Syllabus
 
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
[Blockchain and Cryptocurrency] 02. Blockchain Overview and Introduction - Te...
 
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
[Blockchain and Cryptocurrency] 03. Blockchain's Theoretical Foundation, Cryp...
 
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
[Blockchain and Cryptocurrency] 04. Bitcoin and Nakamoto Blockchain
 
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
[Blockchain and Cryptocurrency] 05. Ethereum and Smart Contract
 
[Blockchain and Cryptocurrency] 06. NFT and Metaverse
[Blockchain and Cryptocurrency] 06. NFT and Metaverse[Blockchain and Cryptocurrency] 06. NFT and Metaverse
[Blockchain and Cryptocurrency] 06. NFT and Metaverse
 
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
[Blockchain and Cryptocurrency] 07. Cardano(ADA) and Other Altcoins
 
[Blockchain and Cryptocurrency] 08. Dark Coins
[Blockchain and Cryptocurrency] 08. Dark Coins[Blockchain and Cryptocurrency] 08. Dark Coins
[Blockchain and Cryptocurrency] 08. Dark Coins
 
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
[Blockchain and Cryptocurrency] 09. Blockchain Usage Beyond Currency - Way to...
 
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
 
Kid Blockchain - Everything You Need to Know - (Part 2)
Kid Blockchain - Everything You Need to Know - (Part 2)Kid Blockchain - Everything You Need to Know - (Part 2)
Kid Blockchain - Everything You Need to Know - (Part 2)
 
Kid Blockchain - Everything You Need to Know - (Part 1)
Kid Blockchain - Everything You Need to Know - (Part 1)Kid Blockchain - Everything You Need to Know - (Part 1)
Kid Blockchain - Everything You Need to Know - (Part 1)
 
Application of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLCApplication of the Common Criteria to Building Trustworthy Automotive SDLC
Application of the Common Criteria to Building Trustworthy Automotive SDLC
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC Process
 
How South Korea Is Fighting North Korea's Cyber Threats
How South Korea Is Fighting North Korea's Cyber ThreatsHow South Korea Is Fighting North Korea's Cyber Threats
How South Korea Is Fighting North Korea's Cyber Threats
 
Blockchain for Cyber Defense: Will It Be As Good As You Think?
Blockchain for Cyber Defense: Will It Be As Good As You Think?Blockchain for Cyber Defense: Will It Be As Good As You Think?
Blockchain for Cyber Defense: Will It Be As Good As You Think?
 
Post-Coronavirus 시대 보안 패러다임의 변화
Post-Coronavirus 시대 보안 패러다임의 변화Post-Coronavirus 시대 보안 패러다임의 변화
Post-Coronavirus 시대 보안 패러다임의 변화
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
 
Verification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLVerification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCL
 

Recently uploaded

Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxRashidFaridChishti
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..MaherOthman7
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024EMMANUELLEFRANCEHELI
 
analog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxanalog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxKarpagam Institute of Teechnology
 
"United Nations Park" Site Visit Report.
"United Nations Park" Site  Visit Report."United Nations Park" Site  Visit Report.
"United Nations Park" Site Visit Report.MdManikurRahman
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdfKamal Acharya
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailingAshishSingh1301
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsMathias Magdowski
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksIJECEIAES
 
Passive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptPassive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptamrabdallah9
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AISheetal Jain
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)NareenAsad
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Nitin Sonavane
 
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTUUNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTUankushspencer015
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfJNTUA
 
Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...IJECEIAES
 
Multivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxMultivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxalijaker017
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...josephjonse
 
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfMadan Karki
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualBalamuruganV28
 

Recently uploaded (20)

Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docx
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
 
analog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxanalog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptx
 
"United Nations Park" Site Visit Report.
"United Nations Park" Site  Visit Report."United Nations Park" Site  Visit Report.
"United Nations Park" Site Visit Report.
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailing
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networks
 
Passive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptPassive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.ppt
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AI
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
 
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTUUNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
UNIT-2 image enhancement.pdf Image Processing Unit 2 AKTU
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 
Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...
 
Multivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptxMultivibrator and its types defination and usges.pptx
Multivibrator and its types defination and usges.pptx
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
 
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
 

How the CC Harmonizes with Secure Software Development Lifecycle

  • 1. Howthe CC Harmonizes with Secure SoftwareDevelopment Lifecycle Sep. 11. 2013. Jinseok Park(1st Author) CIST(Center for Information Security Technologies), Korea University ilysoon7@korea.ac.kr CIST(Center for Information Security Technologies), Korea University skim71@korea.ac.kr Seungjoo Kim (Corresponding Author)
  • 2. Overview CC does not cover with a certified product’s zero-day attack after certifying it. removing weaknesses is very useful for time and cost for zero-day attack than removing vulnerability Harmonize the CC with the Secure software development lifecycle. Problems Motivations Conclusion Secure software development lifecycle can minimize weaknesses for zero-day attack CC focuses on removing vulnerabilities.
  • 3. Contents 1. Definitions 2. Motivations 3. Problems 4. How to Fix It in a Nutshell 5. Our Methods in Detail 6. Analyses 7. How to Harmonize CC with SSDLC 8. Conclusion 9. References
  • 4. 4 Definitions  (Software Security) Weakness  A type of mistake in software  Bugs, Errors  Can be aggravated to (software security) vulnerabilities (i.e., Zero-day attacks)  (Software Security) Vulnerability  An occurrence of a weakness (or multiple weaknesses) within software  Zero-day attack  Weakness is exploited by hackers before the vendor becomes aware to fix it
  • 5. 5 • S : The set of all software in existence at some point in time • W : The set of all instance of software weaknesses in S • Wd : The set of discovered software weaknesses in W • Wcwe : The set of Identified with a CWE • V : The set of all vulnerabilities in W • Vd: The set of all discovered Vulnerabilities in V • Vcve : The set of Identified with a CVE <The relationship between weakness and vulnerability [8]> Definitions
  • 6. Motivations  Software bugs or errors are so detrimental that they cost the U.S economy an estimated $59.5 billion annually. (GDP 0.6%)  Errors requirements/design stage cost 1X to fix. But if it is not found until the post-product release stage, it costs 30 times more to fix. Requirements Gathering and Analysis/ Architectural Design Coding/Unit Test Integration and Component/RAIS E System Test Early Customer Feedback/Beta Test Programs Post-product Release 1X 5X 10X 15X 30X [Reference : 1]
  • 7. Motivations  The top 10 software vendors have a patch remedy rate of just over 94% of all vulnerabilities disclosed.  But, 47% of all vulnerabilities disclosed in 2012 remain without a remedy.  A zero-day attack can still be thwarted by properly-patched software.  But they are not cost and time effective!  Economically, many researchers have tried to remove the vulnerability in software  To remove weaknesses is very useful for time and cost. [Reference : 2-7]
  • 8. 8 Motivations  If we can remove weaknesses, vulnerabilities and zero-day attack can also be removed.  Thus, we are interested in removing design stage's and implementation stage's weaknesses.  It is very useful for time and cost to remove weaknesses
  • 9. Problems  The CC philosophy is that the threats to security and organisational security policy commitments should be clearly articulated and the proposed security measures be demonstrably sufficient for their intended purpose. [9]  CC focuses on removing vulnerabilities.  CC does not cover with a certified product’s zero- day attack after certifying it.
  • 10. How to Fix It in a Nutshell  Software Assurance  The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the life cycle.  Secure Software Development Lifecycle  Software Development Lifecycle + Software Assurance  SSDLCs focus on removing weaknesses. [Reference : 10]
  • 11.  CC and source code analysis tools are not rivals [11]  They find different types of vulnerabilities  If together, they can discover more common vulnerabilities types Design CC Security Mechanisms Other Areas Implementation Weak Audit I&A Vulnerabilities Inconsistent Access Control TOCTTOU XSS SQL Injection Buffer Overflow tools How to Fix It in a Nutshell
  • 12. Common Criteria Version 3.1 Revision 4 SSDLC(MS-SDL Version 5.2) Common Weakness Enumeration Version 2.4 Static Code Analysis Tools  Based on CWE v2.4, CC v3.1, MS-SDL(one of the famous SSDLCs), static code analysis tools.  Dynamic analysis tools can remove limited weaknesses. [12] How to Fix It in a Nutshell
  • 13. Our Methods in Detail  MS-SDL(Microsoft-Security Development Lifecycle)  Software security assurance process  A mandatory policy since 2004 [Reference : 13-14]
  • 14. Our Methods in Detail  MS-SDL helps you build software, that's more secure by reducing the number and severity of vulnerabilities in your code [Reference : 13]
  • 15. Our Methods in Detail  Consistent application of sound security practices during all phases of a development project will result in fewer vulnerabilities [Reference : 14]
  • 16. Our Methods in Detail  Static code analysis tools  Analyze source code and/or compiled version of code in order to help find security flaws(weaknesses)  Certificate of CWE compatibility (5 product) [15]  CodeSonar, Covertiy Quality Advisor/Security Advisor, HP Fortify Static Code Analyzer, Klocwork Insight
  • 17. Our Methods in Detail  Four different areas : 1. Design(CWE-701) 2. Implementation(CWE-702) 3. Security mechanisms(CWE-254) 4. Other parts(non-security mechanisms)
  • 18. Our Methods in Detail View : 29 entries Category : 176 entries Weakness – Class : 88 entries Weakness – Base : 330 entries Weakness – Variant : 276 entries Compound Element – Composite : 6 entries Compound Element – Named Chain : 3 entries Deprecated : 12 entries Selected 703 entries  Total weaknesses: 920 entries, 8 types
  • 19. Our Methods in Detail Rank CWE Type CWE-ID : Name Des ign Imple ment ation Secu rity Mec hanis ms Static Code Analy sis Tools C V E Ent ry MS-SDL CC Des ign Im ple me ntat ion Veri fica tion SFR SAR 1 Base CWE-89 : SQL Injection ○ ○ ○ 7 ○ ○ ○ ○ 2 Base CWE-78 : OS Command Injection ○ ○ ○ 10 ○ ○ ○ ○ 3 Base CWE-120 : Classic Buffer Overflow ○ ○ 5 ○ ○ ○ ○ 4 Base CWE-79 : Cross-site Scripting ○ ○ ○ 11 ○ ○ ○ ○ 5 Variant CWE-306 : Missing Authentication for Critical Function ○ ○ 3 ○ ○ ○ ○ ○ 6 Class CWE-862 : Missing Authorization ○ ○ 19 ○ ○ ○ ○ ○ 7 Base CWE-798 : Use of Hard-coded Credentials ○ ○ 10 ○ ○ ○ 8 Base CWE-311 : Missing Encryption of Sensitive Data ○ ○ ○ 20 ○ ○ ○ ○ 9 Base CWE-434 : Unrestricted Upload of File with Dangerous Type ○ ○ 10 ○ ○ ○ 10 Base CWE-807 : Reliance on Untrusted Inputs in a Security Decision ○ ○ ○ 5 ○ ○ ○ ○  For example, CWE/SANS TOP 25 [Reference : 16]
  • 20. Our Methods in Detail 11 Class CWE-250 : Execution with Unnecessary Privileges ○ ○ ○ 7 ○ ○ ○ ○ ○ 12 Composite CWE-352 : Cross-Site Request Forgery(CSRF) ○ 10 ○ ○ ○ ○ 13 Class CWE-22 : Path Traversal ○ ○ ○ 11 ○ ○ ○ ○ 14 Base CWE-494 : Download of Code Without Integrity Check ○ ○ 4 ○ ○ ○ ○ 15 Class CWE-863 : Incorrect Authorization ○ ○ 9 ○ ○ ○ ○ ○ 16 Class CWE-829 : Inclusion of Functionality from Untrusted Control Sphere 20 ○ ○ ○ ○ ○ 17 Class CWE-732 : Incorrect Permission Assignment for Critical Resource ○ ○ ○ 17 ○ ○ ○ ○ ○ 18 Base CWE-676 : Use of Potentially Dangerous Function ○ ○ ○ 6 ○ ○ 19 Base CWE-327 : Use of a Broken or Risky Cryptographic Algorithm ○ ○ 8 ○ ○ ○ 20 Base CWE-131 : Incorrect Calculation of Buffer Size ○ ○ 14 ○ ○ ○ ○ 21 Base CWE-307 : Improper Restriction of Excessive Authentication Attempts ○ ○ 6 ○ ○ ○ ○ ○ 22 Variant CWE-601 : Open Redirect ○ ○ 3 ○ ○ ○ ○ ○ 23 Base CWE-134 : Uncontrolled Format String ○ ○ 6 ○ ○ ○ ○ 24 Base CWE-190 : Integer Overflow or Wraparound ○ ○ 6 ○ ○ ○ ○ 25 Base CWE-759 : Use of a One-Way Hash without a Salt 2 ○ ○ ○  For example, CWE/SANS TOP 25
  • 21. Analyses (110) <387> (75) <241> (523) <1522> (260) <891> (Total CWE) <Total CVE> Design Implementation Non-Security Mechanism Security Mechanism  Divided into four areas(Design, Implementation, Security mechanism, Non-Security mechanism)  Distribution of weakness and vulnerabilities in each area
  • 22. Analyses - CC - 110<387> 240<857> 73<241> 481<1458> ※ CWE<CVE> CC Design Implementation Non-Security Mechanism Security Mechanism
  • 24. Analyses - CC and MS-SDL - 11<20> 9 <14> 43 <143> 7<52> 4 <8> 1<0>12<19> 30<45> 55 <148> 103<335>197<714> 69<233> 426<1310> 1 <0> ※ CWE<CVE> MS- SDL CC Design Implementation Non-Security Mechanism Security Mechanism
  • 25. Analyses - Static Code Analysis Tools - Static Code Analysis Tools 14<26> 161<461> 69<287> 19<40> ※ CWE<CVE> Design Implementation Non-Security Mechanism Security Mechanism
  • 26. Analyses - CC & Static Code Analysis Tools - 84<295> 139<447> 56<207>295<894> ※ CWE<CVE> 14<26> 161<461> 69<287> 19<40> Design Implementation Non-Security Mechanism Security Mechanism Static Code Analysis Tools MS- SDL
  • 27. How to Harmonize CC with SSDLC SSDLC Process Practice CC Security Assurance Requirements 1.Training Core Security Training ALC_DVS 2.Requirements Establish Security and Privacy Requirements, Create Quality Gates/Bug Bars, Perform Security and Privacy Risk Assessments ASE ALC_TAT AVA 3.Design Establish Design Requirements, Attack Surface Analysis/Reduction, Use Threat Modeling ADV AVA 4.Implementation Use Approved Tools, Deprecate Unsafe Functions, Perform Static Analysis ATE ADV_IMP 5.Verfication Perform Dynamic Analysis, Fuzz Testing, Attack Surface Review ATE 6.Release/Response Create an Incident Response Plan, Conduct Final Security Review, Certify Release and Archive, Execute Incident Response Plan AGD ALC_CMC AVA  Proposed Security Assurance Requirements(SAR)  Now CC + SSDLC’s practice
  • 28. Conclusion  The CC and the SSDLC are similar methodologies for removing vulnerabilities.  But they find different types of vulnerabilities.  Static code analysis tools can help removing weaknesses in CC  The CC and the SSDLC are not competitors. Rather, they are complements.
  • 29. References 1. Gregory Tassey, Ph.D, “The Economic Impact of Inadequate Infrastructure for software Testing, Planning Report”, 02-3, NIST, May 2002. 2. Paul Wood, “Closing The Window Of Vulnerability: Exploits And Zero-Day Attacks”, Internet security Threat report”, vol. 17, Symantec, Apr. 2012. 3. Brian McGee, “Vulnerabilities in enterprise software”, IBM X-Force 2012 Mid-year Trend and Risk Report, Sep. 2012. 4. Gerhard Eschelbeck, “Systems and software threats”, Security Threat Report, Sophos, Jan. 2012. 5. Theresa Lanowitz, “Now Is the Time for Security at the Application Level”, Gartner, Dec. 2005. 6. Joe Jarzombek, “Software Assurance: Enabling Security and Resilience throughout the Software Lifecycle”, MITRE, Nov. 2012. 7. U.S Department of Homeland Security Web page: https://buildsecurityin.us-cert.gov/swa/forums- and-working-groups/processes-and-practices/swa-capability-benchmarking 8. Richard Struse, “Software Assurance-Making the Software Ecosystem Rugged”, ICSJWG, Oct. 2011. 9. Common Criteria Recognition Arrangement, “Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 4”, Sep. 2012. 10. U.S Department of Homeland Security Web page: https://buildsecurityin.us-cert.gov/swa/process- view/overview 11. Adam O'Brien, “Common Criteria and Source Code Analysis Tools: Competitors or Complement”, International Common Criteria Conferences 9th, Sep. 2010. 12. B. Chess and C. McGraw, “Static analysis for security,” IEEE Security & Privacy, vol. 2, no. 6, pp. 76~79, Nov. 2004. 13. Jeff Jones, “Microsoft products: Vulnerabilities reduction after SDL implementation”, Microsoft Security Blog and Microsoft TechNet Security Blog, Jan. 2008. 14. “Basics of Secure Design Development Test : Secure Software Made Easier”, Microsoft, 2008. 15. Common Weakness Enumeration(CWE) web page : Assessment and Remediation Tool, http://cwe.mitre.org/compatible/category.html, Jun. 2013. 16. MITRE, “2011 CWE/SANS Top 25 Most Dangerous Software Errors”, Sep. 2011.
  • 31. Jinseok Park E-mail : ilysoon7@korea.ac.kr Facebook : @ilysoon7 Jinseok Park received his B.S. (2010) in computer science from Soongsil University in Korea. also, , He served as electronic signature and authentication Team of the Korea Information Security Agency (KISA) for 1 years. Now he is enroll in the M.S. at Korea University. His research interests include security evaluation, information security and online social network service security. He has many certificates(CISSP, CISA, Security Product Evaluator, CPPG, Information Processing Engineer)
  • 32. Seungjoo Kim (Corresponding Author) E-mail : skim71@korea.ac.kr Homepage : www.kimlab.net Facebook, Twitter : @skim71 Prof. Seungjoo Kim received his B.S. (1994), M.S. (1996), and Ph.D. (1999) in information engineering from Sungkyunkwan University (SKKU) in Korea. Prior to joining the faculty at Korea University (KU) in 2011, He served as Assistant & Associate Professor of School of Information and Communication Engineering at SKKU for 7 years. Before that, He served as Director of the Cryptographic Technology Team and the (CC-based) IT Security Evaluation Team of the Korea Information Security Agency (KISA) for 5 years. Now he is Full Professor of Graduate School of Information Security at KU, and a member of KU's Center for Information Security Technologies (CIST). Also, He has served as an executive committee member of Korean E-Government, and advisory committee members of several public and private organizations such as National Intelligence Service of Korea, Digital Investigation Advisory Committee of Supreme Prosecutors' Office, Ministry of Justice, The Bank of Korea, ETRI(Electronic and Telecommunication Research Institute), and KISA, etc. His research interests include cryptography, information security and information assurance.
  • 33. The corresponding author (Seungjoo Kim) acknowledges the support of the IT R&D program (10043959, Development of EAL 4 level military fusion security solution for protecting against unauthorized accesses and ensuring a trusted execution environment in mobile devices) of KEIT/MOTIE and MSIP(Ministry of Science, ICT & Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (NIPA-2013- H0301-13-1003) supervised by the NIPA(National IT Industry Promotion Agency)