A Study on Secure SDLC Specialized in Common Criteria
|
|
- Anna Marshall
- 6 years ago
- Views:
Transcription
1 , pp A Study on Secure SDLC Specialized in Common Criteria Min-Gyu Lee 1, Hyo-jung Sohn 2, Baek-MinSeong 3 and Jong-Bae Kim 4* 1,2,3,4* Graduate School of Software, Soongsil University, Seoul , Korea 1 marse101@naver.com, 2 hyojung.sohn@gmail.com, 3 feeling127@naver.com, 4* kjb123@ssu.ac.kr Abstract. Common Criteria (CC) is a globally standardized for information technology security evaluation criteria for IT products manufactured around the world. IT products used in governmental organizations and public institutions must acquire a certain level of or higher than the Evaluation Assurance Level (EAL) of CC. Meanwhile, the general Software Development Life Cycle (SDLC) does not suggest guidelines to eliminate weakness in the development ; therefore, a possible critical situation may occur. Furthermore, CC currently performs security certification for Target of Evaluation (TOE) only, and it does not suggest a guideline related to Secure Software Development Life Cycle (SSDLC) that considers weakness in the development. If the relevant TOE is developed by SSDLC specializing in CC, all of the evaluators and developers can engage in CC certification with an objective perspective. This thesis suggests that SSDLC can develop TOE suitable for CC by identifying vulnerabilities and weaknesses, making a reference to MS-SDL, OWASP Comprehensive Lightweight Application Security Process (CLASP), and McGraw s Touchpoints based on the weaknesses provided at the CWE. Keywords: Common Criteria, CC, SSDLC, Secure SDLC, CWE, weakness, vulnerability, MS-SDL, CLASP, Touchpoints 1 Introduction Common Criteria (CC) is a globally standardized criteria (ISO/IEC 15408) for information technology security evaluation criteria of IT products that are manufactured around the world. IT products that will be introduced by governmental organizations and public institutions must acquire a certain level of or higher than the Evaluation Assurance Level (EAL) of CC in order to be delivered. Currently, when a number of software-related small-sized and medium-sized companies develop software for CC certification, they usually hire after the results have been completed without hiring the CC expert from its initial development due to issues regarding the cost. At the Software Engineering Institute of Carnegie Mellon University, 70% of the weaknesses, which occurred during a design error, have been reported. When it was unable to eliminate these weaknesses during the software design phase, the costs occurred in as much as 30 times during the maintenance phase [1]. In addition, CC currently performs security certification for Target of Evaluation (TOE) only; ISSN: ASTL Copyright 2015 SERSC
2 however, it does not suggest a guideline related to Secure Software Development Life Cycle (SSDLC), which can analyze the weakness during the development. This paper suggests that the SSDLC is able to develop TOE suitable for CC, based on the weakness provided by the Common Weakness Enumeration (CWE), by determining the vulnerabilities and the weaknesses in references of the MS-SDL, OWASP Comprehensive, Lightweight Application Security Process (CLASP), and Touchpoints. The results of this study can be utilized as guidelines for the developers with the purpose of CC certification in the of developing software, of which the weaknesses are eliminated. 2 Related Work We have witnessed that if there are vulnerabilities that have not been eliminated during the phases of SDLC design, implementation, and, the cost would demonstrate an exponential growth. One weakness is accompanied by multiple vulnerabilities; therefore, it is important to eliminate the weaknesses. In this paper, I mapped the removable items from the CWE weakness list (Ver.2.8) per item during the design, implementation, and test phases, by using the study data of Bart [2], who has done a comparative study for MS-SDL, CLASP, and Touchpoints. The total number of items during the design, implementation, and test phases is 81. For CWE s weaknesses list [3], the Weaknesses Introduced During Design (CWE- 701) of the Development Concept (CWE-699) will be used as a weakness list. The weaknesses presented are shown in Table 1. Table1. Weaknesses Introduced During Design (CWE-701) CWEs in this view Total CWEs Total 383 out of 1003 Views 0 out of 32 Categories 3 out of 244 Weaknesses 377 out of 719 Compound Elements 3 out of 8 The weaknesses that can occur in the design phase are 380 in total, except for View and Categories. For the weakness list in the implementation phase, the Weaknesses Introduced During Implementation (CWE-702) of Development Concept (CWE-699) will be used. Similarly, the weaknesses that possibly occur in the implementation phase are 600 in total, except for View and Categories. During the test phase, it is used by removing the duplicates from the two CWE lists of the design phase and the implementation phase. Since all existing vulnerabilities must be removed, it was analyzed based on the total weaknesses of 687. In CC Part 2, Security Functional Requirements (SFR) provides a total of 11 Security Functional Classes. This is a set of functional components which is a standard for determining the security features and security mechanisms of TOE [4]. For the weaknesses of the security functional requirements that can be removed in the 20 Copyright 2015 SERSC
3 design and implementation phase, it has utilized the method [5] of using the Security Features (CWE-254). The listed weaknesses are 110 in the design phase, and 75 in the implementation phase. Security Assurance Requirements (SAR) is a set of assurance components that is a standard for determining the assurance level of TOE [6]. The ultimate goal of the CC certification is to acquire Evaluation Assurance Level (EAL). Therefore, the developers shall establish a goal of acquiring an EAL. In CC, when the developer tries to acquire TOE above EAL4, they must submit the source code to the rating institution. The source code analysis is important for the verification of the weaknesses, and it has been conducted from the evaluation of above EAL4. However, even this source code analysis is explicitly stated in the CC standard that it is not a requirement of the evaluators. As a result, utilizing the items [7] will remove the weaknesses of the CC. As mentioned above, the source code analysis can only be made by submitting the source code when it acquires more than an EAL4 grade. For EAL1~3 grades, the source code analysis is not possible. Based on the items, mapping is conducted by finding the weaknesses that can be removed from the CWE weaknesses list. 3 SSDLC Research Method for Specialized Common Criteria 3.1 Research Process This research paper maps to find the weaknesses to be removed by comparing the items of SSDLCs that can eliminate the vulnerabilities as described above with the predefined CWE list. The weaknesses are then mapped to be removed, based on the CWE list with CC Security Functional Requirements (SFR) and Security Assurance Requirements (SAR). In addition, it proposes an SSDLC that is suitable to each EAL grade by determining the correlation of the weaknesses that were found in the two previous phases. 3.2 SSDLC Item Comparison and CWE List Mapping Since it was not able to add the mapping data for all of the weaknesses, it has given the Top 25 Most Dangerous Software Errors [8] according to the CWE/SANS. The reference shows the top 25 most dangerous weaknesses. The results that mapped the weaknesses ranked 1st, 3rd, and 5th in the SSDLC comparison. When looking at the SQL-Injection that ranked 1st place on the above data out of the most dangerous weaknesses, the vulnerabilities to be derived are seven, but there was no way of finding the weaknesses during the design phase. Based on the methods that were successful in finding the weaknesses during the implementation phase, there were security analysis tools, automated source level, and manual code. Moreover, the methods used in finding the weaknesses regarding the SQL-Injection Copyright 2015 SERSC 21
4 during the test phase were fuzz, risk-based, unit, and penetration methods. According to the above result, all the weaknesses that can be removed from SSDLC have been confirmed, and it could be a cornerstone for the weaknesses and comparative materials that can be found in CC in the future. 3.3 CC and CWE List Mapping In Section 3.2, the mapping of the CC and CWE list involved the 1st, 3rd, 5th ranks of the CWE/SANS. For the CC comparison, it utilized the SFR that has become a standard for defining the TOE s security functions and security mechanisms as described in Section 2.3, as well as the SAR that has become a standard for defining the TOE assurance level. On the other hand, the source code analysis and the vulnerability analysis are not mandatory in the assurance requirements, but they can be used according to the requirement of the evaluator. Therefore, it has separately analyzed two cases, wherein one case used the source code analysis and the vulnerability analysis, while the other case did not utilize any of the aforementioned methods. 3.4 Comparison Analysis In this section, it has compared the weaknesses that the CC and SSDLC can remove in EAL4~7 grades by using the data mapped in Section 3.2 and Section 3.3. The comparison results from EAL1~3 and EAL4~7 in the analysis data on Section 3.3 are the same, and it has summarized the table of EAL4~7 only to prevent duplication. Organizing results are shown in Table 2. 4 Conclusion In this paper, after having mapped the weaknesses that can be found in SSDLC and those in the CC based on CWE list, the comparative analysis for the correlation of weaknesses were found in SSDLC and those in CC. Based on the mapped data, it proposed a SSDLC that specializes in CC by selecting the steps that must be undertaken in SSDLC through EAL grades. The results of this study may be used as an SSDLC guideline that matches the target EAL of the developers in order to acquire a CC certification. Table2. Comparison of the Mapped Data CWE SSDLC CWE ID Design Implementation Test 22 Copyright 2015 SERSC
5 CC (EAL 4~7) SAR SFR CWE-89: SQL Injection CWE-120: Classic Buffer Overflow CWE-306: Missing Authenticati on CWE-306: Missing Authenticati on 1. Threat modeling 1. Threat modeling 1. Fuzz 2. Unit 4. Risk-based 1. Fuzz 2. Unit 4. Risk-based 1. Fuzz 2. Unit 1. Fuzz 2. Unit References 1. Gregory Tassey, Ph.D.: The Economic Impacts of Inadequate Infrastructure for Software Testing.: National Institute of Standards and Technology (2002) 2. Bart De Win, Riccardo Scandariato, Koen Buyens, Johan Gre goire, WouterJoosen.: On the secure software development CLASP, SDL and Touchpoints compared: Information and Software Technology 51 (2009) Common Weakness Enumeration, 4. Common Criteria v3.1: Part 2:Security functional components (2012) 5. JinseokPark,Seungjoo Kim.: How the CC Harmonizes with Secure Software Development Lifecycle : Journal of The Korea Institute of Information Security & Cryptology VOL.24, NO.1, Feb BundesamtfürSicherheit in der Informationstechnik.:Guidelines for Developer Documentation according to Common Criteria Version 3.1 (2007) 7. Mehmet Kara.: Review on Common Criteria as a Secure Software Development Model: International Journal of Computer Science & Information Technology (IJCSIT) Vol 4, No 2, April MITRE.: CWE/SANS Top 25 Most Dangerous Software Errors (2011) Copyright 2015 SERSC 23
Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO
Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO tom.stiehm@coveros.com 1 About Coveros Coveros helps organizations accelerate the delivery of business value through
More informationSecure Development Processes
Secure Development Processes SecAppDev2009 What s the problem? Writing secure software is tough Newcomers often are overwhelmed Fear of making mistakes can hinder Tend to delve into security superficially
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationOWASP InfoSec Romania 2013
OWASP InfoSec Romania 2013 Secure Development Lifecycle, The good, the bad and the ugly! October 25 th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Applications are about information! 3 pillars
More informationA Study on the Communication Agent Model for One-way Data Transfer System
, pp. 161-168 http://dx.doi.org/10.14257/ijsh.2015.9.10.18 A Study on the Communication Agent Model for One-way Data Transfer System Young-Chul Oh 1, Mi-Ran Han 2, Yongtae Shin 3 and Jong-Bae Kim 4* 1
More informationFeliCa Approval for Security and Trust (FAST) Overview. Copyright 2018 FeliCa Networks, Inc.
FeliCa Approval for Security and Trust (FAST) Overview Introduction The security certification scheme called FeliCa Approval for Security and Trust (FAST) has been set up to enable the evaluation and certification
More informationKorean National Protection Profile for Electronic Document Encryption V1.0 Certification Report
KECS-CR-17-57 Korean National Protection Profile for Electronic Document Encryption V1.0 Certification Report Certification No.: KECS-PP-0821-2017 2017. 8. 18 IT Security Certification Center History of
More informationKorean National Protection Profile for Single Sign On V1.0 Certification Report
KECS-CR-17-58 Korean National Protection Profile for Single Sign On V1.0 Certification Report Certification No.: KECS-PP-0822-2017 2017. 8. 18 IT Security Certification Center History of Creation and Revision
More informationProtection Profile for Connected Diabetes Devices (CDD PP) Extended Package: Moderate
1 2 3 Protection Profile for Connected Diabetes Devices (CDD PP) Extended Package: Moderate 4 5 6 DTSec CDD PP EP Moderate 1.0 - May 22, 2018 Page 1 of 14 7 8 9 10 11 12 13 Acknowledgements This EP was
More informationOWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science
OWASP - SAMM Matt Bartoldus Gotham Digital Science OWASP 12 March 2009 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationFirewall Protection Profile V2.0 Certification Report
KECS-CR-08-10 Firewall Protection Profile V2.0 Certification Report Certification No. : KECS-PP-0093-2008 Apr, 2008 National Intelligence Service IT Security Certification Center This document is the certification
More informationAbstract. 1. Introduction
보안공학연구논문지 제 권제 호 년 월 Abstract In these days, many organizations try to manage their information system in safe way(i.e., Evaluation, Assurance and Certification of Information Security) due to more rapidly
More informationA Personal Information Retrieval System in a Web Environment
Vol.87 (Art, Culture, Game, Graphics, Broadcasting and Digital Contents 2015), pp.42-46 http://dx.doi.org/10.14257/astl.2015.87.10 A Personal Information Retrieval System in a Web Environment YoungDeok
More informationTaking White Hats to the Laundry: How to Strengthen Testing in Common Criteria
Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationDesign and Implementation of Secure OTP Generation for IoT Devices
, pp.75-80 http://dx.doi.org/10.14257/astl.2017.146.15 Design and Implementation of Secure OTP Generation for IoT Devices Young-Sae Kim 1 and Jeong-Nyeo Kim 1 1 Electronics and Telecommunications Research
More informationModule 6: Network and Information Security and Privacy. Session 3: Information Security Methodology. Presenter: Freddy Tan
Module 6: Network and Information Security and Privacy Session 3: Information Security Methodology Presenter: Freddy Tan Learning Objectives Understanding the administrative, physical, and technical aspects
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationSoftware Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting
Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting July 14 th 2010 Copyright 2010 - The OWASP Foundation Permission
More informationAssurance Continuity Maintenance Report
Assurance Continuity Maintenance Report Buheita Fujiwara, Chairman Information-technology, Promotion Agency, Japan Changed TOE Application date/id Certification No. Sponsor Name of TOE Version of TOE Conformed
More informationVulnerability-centric assurance activities for MFP PP as a candidate for cpp
Vulnerability-centric assurance activities for MFP PP as a candidate for cpp Fumiaki Manabe JISEC / IPA, Japan September 11, 2013 1 Agenda The security surrounding the MFP PP development for Government
More informationMicrosoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications
Release Conception Microsoft SDL Security Development Lifecycle and Building Secure Applications KRnet 2010 2010. 6. 22. 한국마이크로소프트보안프로그램매니저김홍석부장 Hongseok.Kim@microsoft.com Agenda Applications under Attack
More informationRisk Analysis and Measurement with CWRAF
Risk Analysis and Measurement with CWRAF - Common Weakness Risk Analysis Framework - April 4, 2012 Making Security Measurable (MSM) Software Assurance Enterprise Security Management Threat Management Design
More informationIT Security Evaluation and Certification Scheme Document
IT Security Evaluation and Certification Scheme Document June 2015 CCS-01 Information-technology Promotion Agency, Japan (IPA) IT Security Evaluation and Certification Scheme (CCS-01) i / ii Table of Contents
More informationSDLC Maturity Models
www.pwc.com SDLC Maturity Models SecAppDev 2017 Bart De Win Bart De Win? 20 years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific publications
More informationVisa Chip Security Program Security Testing Process
Visa Chip Security Program Security Testing Process Visa Supplemental Requirements Version 2.1 January 2018 Visa Public Important Information on Confidentiality and Copyright Note: This document is a supplement
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationDon t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd
Don t Be the Developer Whose Rocket Crashes on Lift off 2015 LDRA Ltd Cost of Software Defects Consider the European Space Agency s Ariane 5 flight 501 on Tuesday, June 4 1996 Due to an error in the software
More informationLarry Maccherone Carnegie Mellon CyLab
1 What do building construction and software engineering have in common? Larry Maccherone Manager of Software Assurance Initiatives CyLab - Carnegie Mellon 2 Creating secure software is like constructing
More informationAssurance Continuity Maintenance Report
Assurance Continuity Maintenance Report Buheita Fujiwara, Chairman Information-Technology Promotion Agency, Japan Changed TOE Application date/id Certification No. Sponsor Name of TOE / Version of TOE
More informationProcedure for Network and Network-related devices
Lloyd s Register Type Approval System Type Approval Requirements for components within Cyber Enabled Systems on board Ships Procedure for Network and Network-related devices September 2017 1 Reference:
More informationTRAINING CURRICULUM 2017 Q2
TRAINING CURRICULUM 2017 Q2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You? Why Security Compass? Role-Based Training
More informationSynergies of the Common Criteria with Other Standards
Synergies of the Common Criteria with Other Standards Mark Gauvreau EWA-Canada 26 September 2007 Presenter: Mark Gauvreau (mgauvreau@ewa-canada.com) Overview Purpose Acknowledgements Security Standards
More informationAn Attack Surface Driven Approach to Evaluation
An Attack Surface Driven Approach to Evaluation Helmut Kurth atsec information security corp. 10th ICCC, Tromso - atsec information security Content What is the attack surface? Attack surface and TSFI
More informationSECURITY CERTIFICATION
ÉDITION 2018 SECURITY CERTIFICATION OF PRODUCTS BY THE FRENCH NATIONAL CYBERSECURITY AGENCY (ANSSI) PAR L AGENCE NATIONALE DE LA SÉCURITÉ DES SYSTÈMES D INFORMATION Security Visas provide a competitive
More informationCertification Report
Certification Report EAL 4+ Evaluation of WatchGuard and Fireware XTM Operating System v11.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationA Design of Building Group Management Service Framework for On-Going Commissioning
, pp.84-88 http://dx.doi.org/10.14257/astl.2014.49.18 A Design of Building Group Management Service Framework for On-Going Commissioning Taehyung Kim 1, Youn Kwae Jeong 1 and Il Woo Lee 1, 1 Electronics
More informationCIT 380: Securing Computer Systems. Software Security
CIT 380: Securing Computer Systems Software Security Topics 1. The problem of software security 2. System security standards 3. Secure lifecycle 4. Buffer overflows 5. Integer overflows 6. Format string
More informationIEEE Sec Dev Conference
IEEE Sec Dev Conference #23, Improving Attention to Security in Software Design with Analytics and Cognitive Techniques Jim Whitmore (former) IBM Distinguished Engineer Carlisle, PA jjwhitmore@ieee.org
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationIT Security Evaluation : Common Criteria
AfriNIC-9 MEETING Mauritius 22-28 November 2008 IT Security Evaluation : Common Criteria Ministry of Communication Technologies National Digital Certification Agency Mounir Ferjani November 2008 afrinic
More informationA Security Risk Analysis Model for Information Systems
A Security Risk Analysis Model for Information Systems Hoh Peter In 1,*, Young-Gab Kim 1, Taek Lee 1, Chang-Joo Moon 2, Yoonjung Jung 3, and Injung Kim 3 1 Department of Computer Science and Engineering,
More informationSmart TV Security Solution V2.0 for Samsung Knox. Certification Report
KECS-CR-17-82 Smart TV Security Solution V2.0 for Samsung Knox Certification Report Certification No.: KECS-CISS-0846-2017 2017. 12. 27 IT Security Certification Center History of Creation and Revision
More informationA Preliminary Study on Daylighting Performance of Light Shelf according to the Depth of Space
, pp.70-74 http://dx.doi.org/10.14257/astl.2013.32.17 A Preliminary Study on Daylighting Performance of Light Shelf according to the Depth of Space Heangwoo Lee 1.1, Janghoo Seo 2.1, Yongseong Kim 2.2,
More informationDeveloping Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch
Developing Secure Applications with OWASP Martin Knobloch martin.knobloch@owasp.org OWASP OWASP NL Chapter Board OWASP Global Education Committee Chair Copyright The OWASP Foundation Permission is granted
More informationFintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform
Fintech District The First Testing Cyber Security Platform In collaboration with CISCO Cloud or On Premise Platform WHAT IS SWASCAN? SWASCAN SERVICES Cloud On premise Web Application Vulnerability Scan
More informationSecure Product Development With Rapid Start Get started now and launch your secure product on-time. Hal Aldridge
Secure Product Development With Rapid Start Get started now and launch your secure product on-time Hal Aldridge Secure Product Development With Rapid Start applications that communicate with Cloud services.
More informationCertification Report
Certification Report Symantec Security Information Manager 4.8.1 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationAssurance Continuity Maintenance Report
Assurance Continuity Maintenance Report Buheita Fujiwara, Chairman Information-Technology Promotion Agency, Japan Changed TOE Application date/id Certification No. Sponsor Name of TOE / Version of TOE
More informationA Design of Authentication Protocol for a Limited Mobile Network Environment
Vol.29 (SecTech 2013), pp.41-45 http://dx.doi.org/10.14257/astl.2013.29.08 A Design of Authentication Protocol for a Limited Mobile Network Environment Minha Park 1,1, Yeog Kim 2, Okyeon Yi 3 1, 3 Dept.
More informationA Model for Structuring and Reusing Security Requirements Sources and Security Requirements
A Model for Structuring and Reusing Requirements Sources and Requirements Christian Schmitt 1 and Peter Liggesmeyer 2, 3 1 Siemens AG, Siemens Corporate Technology, Otto-Hahn-Ring 6, 81739 Munich, Germany
More informationSyllabus:))AIT)671)0)Information)Systems)Infrastructure)Lifecycle) Management)
Syllabus:))AIT)671)0)Information)Systems)Infrastructure)Lifecycle) Management) Term:))Spring)2015) Instructor: Jay Holcomb, Adjunct Faculty, Department of Applied Information Technology, Volgenau School
More informationMARCH Secure Software Development WHAT TO CONSIDER
MARCH 2017 Secure Software Development WHAT TO CONSIDER Table of Content Introduction... 2 Background... 3 Problem Statement... 3 Considerations... 4 Planning... 4 Start with security in requirements (Abuse
More informationMy name is Jesus Abelarde and I am Lead Systems Security Engineer for the MITRE Corporation. I currently work on multiple engineering domains that
My name is Jesus Abelarde and I am Lead Systems Security Engineer for the MITRE Corporation. I currently work on multiple engineering domains that includes Cyber, Network, Software, Testing and Integration
More informationA Case Study of Black-Box Testing for Embedded Software using Test Automation Tool
Journal of Computer Science 3 (3): 1-1, 7 ISSN 159-33 7 Science Publications A Case Study of Black-Box Testing for Embedded Software using Test Automation Tool 1 Changhyun Baek, Joongsoon Jang, 3 Gihyun
More informationNetwork Intrusion Forensics System based on Collection and Preservation of Attack Evidence
, pp.354-359 http://dx.doi.org/10.14257/astl.2016.139.71 Network Intrusion Forensics System based on Collection and Preservation of Attack Evidence Jong-Hyun Kim, Yangseo Choi, Joo-Young Lee, Sunoh Choi,
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationCertification Requirements for High Assurance Systems
for High Assurance Systems Gordon M. Uchenick Senior Mentor/Principal Engineer Objective Interface Systems, Inc. and W. Mark Vanfleet Senior Cryptologic Mathematician/ Senior INFOSEC Analyst National Security
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationApplicability Estimation of Mobile Mapping. System for Road Management
Contemporary Engineering Sciences, Vol. 7, 2014, no. 24, 1407-1414 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.49173 Applicability Estimation of Mobile Mapping System for Road Management
More informationCC Part 3 and the CEM Security Assurance and Evaluation Methodology. Su-en Yek Australasian CC Scheme
CC Part 3 and the CEM Security Assurance and Evaluation Methodology Su-en Yek Australasian CC Scheme What This Tutorial Is An explanation of where Security Assurance Requirements fit in the CC evaluation
More information004 Licensing of Evaluation Facilities
Template: CSEC_mall_doc, 7.0 Ärendetyp: 6 Diarienummer: 14FMV1748-1:1 Dokument ID SP-004 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2014-02-06 Country of origin: Sweden Försvarets materielverk
More informationIs the Common Criteria the only way? Dr. David Brewer Gamma Secure Systems Limited
Is the Common Criteria the only way? Dr. David Brewer Gamma Secure Systems Limited www.gammassl.co.uk Agenda History: CC and predecessors Information security management Accountancy standards Pick up practical
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security
More informationCommon Criteria Developer Training Course Outline
Common Criteria Developer Training Course Outline Common Criteria version 3.1 atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: +1 512 615 7300 Fax: +1 512 615
More informationCertification Report
Certification Report McAfee File and Removable Media Protection 4.3.1 and epolicy Orchestrator 5.1.2 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More information- Table of Contents -
- Table of Contents - 1 INTRODUCTION... 1 1.1 OBJECTIVES OF THIS GUIDE... 1 1.2 ORGANIZATION OF THIS GUIDE... 2 1.3 COMMON CRITERIA STANDARDS DOCUMENTS... 3 1.4 TERMS AND DEFINITIONS... 5 2 BASIC KNOWLEDGE
More informationSystematic Security Checking on OSGi Bundles for Remote Healthcare System
, pp.1-5 http://dx.doi.org/10.14257/astl.2015.116.01 Systematic Security Checking on OSGi Bundles for Remote Healthcare System Jinsoo Hwang 1, Kichang Kim 2 1 Department of Statistics, Inha University,
More informationRanking Vulnerability for Web Application based on Severity Ratings Analysis
Ranking Vulnerability for Web Application based on Severity Ratings Analysis Nitish Kumar #1, Kumar Rajnish #2 Anil Kumar #3 1,2,3 Department of Computer Science & Engineering, Birla Institute of Technology,
More informationDesign and Implementation of HTML5 based SVM for Integrating Runtime of Smart Devices and Web Environments
Vol.8, No.3 (2014), pp.223-234 http://dx.doi.org/10.14257/ijsh.2014.8.3.21 Design and Implementation of HTML5 based SVM for Integrating Runtime of Smart Devices and Web Environments Yunsik Son 1, Seman
More informationSoftware defects and security
CS-4920: Lecture 5 Developing Secure Software Today s Outcomes Discuss the connection between defects and security Identify several types of defects Discuss the cost/schedule ramifications of defect reduction
More informationAddressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1
Addressing Future Challenges in the Development of Safe and Secure Software Components 2016 The MathWorks, Inc. 1 Cybersecurity Emerging Topic in the Auto Industry Vehicle-to-Infrastructure Wifi Hotspot
More informationA Practical Security Risk Analysis Process and Tool for Information System
International Journal of Information Processing Systems, Vol.2, No.2, June 2006 95 A Practical Security Risk Analysis Process and Tool for Information System YoonJung Chung*, InJung Kim*, and DoHoon Lee*
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27001 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 27001 Lead Auditor examination is to ensure that the candidate
More informationTexas Regional Infrastructure Security Conference (TRISC) Dan Cornell
Securing the SDLC: A Case Study Texas Regional Infrastructure Security Conference (TRISC) 2008 Dan Cornell April 22, 2008 Agenda Denim Group introduction and background The problem: Integrate security
More informationSecurity in grid control centers: Spectrum Power TM Cyber Security
Security in grid control centers: Spectrum Power TM Cyber Security Thomas Schmidt, Information Security Manager siemens.at/future-of-energy Spectrum Power TM 7 Historical Information System Table of content
More informationDesign of Self-Adaptive System Observation over Internet of Things
, pp.165-171 http://dx.doi.org/10.14257/astl.2015.117.39 Design of Self-Adaptive System Observation over Internet of Things Young-Joo Kim 1, Jong-Soo Seok 1, Moon Soo Lee 1, Jeong-Si Kim 1, and YungJoon
More informationETSI TC MTS, SECURITY SIG IN MTS (METHODS FOR TESTING AND SPECIFICATION) Jürgen Großmann, Fraunhofer FOKUS
ETSI TC MTS, SECURITY SIG IN MTS (METHODS FOR TESTING AND SPECIFICATION) Jürgen Großmann, Fraunhofer FOKUS juergen.grossmann@fokus.fraunhofer.de MTS SECURITY SIG Security testing at a glance Assemble security
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Deep Defender 1.0.1 and epolicy Orchestrator 4.6.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationCertification Report
Certification Report McAfee Enterprise Security Manager with Event Receiver, Enterprise Log Manager, Advanced Correlation Engine, Application Data Monitor and Database Event Monitor 9.1 Issued by: Communications
More informationReport: Measuring the Attack Surfaces of Enterprise Software
Report: Measuring the Attack Surfaces of Enterprise Software Pratyusa K. Manadhata 1, Yuecel Karabulut 2, and Jeannette M. Wing 1 1 Carnegie Mellon Univeristy, Pittsburgh, PA, USA 2 SAP Research, Palo
More informationBuilding Ubiquitous Computing Environment Using the Web of Things Platform
, pp.105-109 http://dx.doi.org/10.14257/astl.2013 Building Ubiquitous Computing Environment Using the Web of Things Platform Woo-Chang Shin Dept. of Computer Science, at SeoKyeong University 16-1 Jungneung-Dong
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationCertification Report
Certification Report Security Intelligence Platform 4.0.5 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationThe Secure SDLC. Moderated by: Foundation Board
Day 2009 http://www.owasp.or The Secure SDLC Panel Real answers from real experience Moderated by: Sebastien Deleersnyder Foundation Board seba@owasp.org Panelists Migchiel de Jong (Fortify) Bart De Win
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationCertification Report
Certification Report Standard Edition v2.8.2 RELEASE Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCertification Report
Certification Report Avocent Cybex SwitchView SC Series Switches Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationA study on improvement of evaluation method on web accessibility automatic evaluation tool's <IMG> alternative texts based on OCR
, pp.162-166 http://dx.doi.org/10.14257/astl.2015.113.33 A study on improvement of evaluation method on web accessibility automatic evaluation tool's alternative texts based on OCR Eunju Park 1,1,
More informationCC and CEM addenda. Exact Conformance, Selection-Based SFRs, Optional SFRs. May Version 0.5. CCDB xxx
CC and CEM addenda Exact Conformance, Selection-Based SFRs, Optional SFRs May 2017 Version 0.5 CCDB-2017-05-xxx Foreword This is a DRAFT addenda to the Common Criteria version 3.1 and the associated Common
More informationNetwork Intrusion Prevention System Protection Profile V1.1 Certification Report
KECS-CR-2005-04 Network Intrusion Prevention System Protection Profile V1.1 Certification Report Certification No. : CC-20-2005.12 12, 2005 National Intelligence Service This document is the certification
More informationIntroduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More informationProtecting Information Assets - Unit #14 - Computer Application Security. MIS 5206 Protecting Information Assets
Protecting Information Assets - Unit #14 - Computer Application Security Agenda Introduction Software development life cycle (SDLC) SDLC and security Test taking tip Quiz Application Security As applications
More information