시큐어 코딩을 적용한 웹 자산관리 시스템

Abstract

Security breaches have recently become a social issue. Although network firewalls and user authentication programs are used to fight the problem resulting from it, most of the breaches occur not from networks or web servers but from application programs that have security vulnerability. Many studies are performed to address such breaches and secure coding is emerging as the most effective measure. Secure coding, a safe software production technique, removes security weakness of a software source code to prevent security breaches. By doing so, it allows use of safe software that has strengthened security. In 2002, the US enacted Federal Information Security Management Act (FISMA), making secure coding compulsory. Korea also began to develop the secure coding technique in 2009 and its Ministry of Government Administration and Home Affairs(MOGAHA) announced revision of the guideline on establishment and operation of information system in June 2012 to make secure coding compulsory. Most companies use asset management system to manage their assets. The asset management system, which is customized for clients’ requirements and usage, provides various functions. The asset management system suggested by the paper supports all functions about internal asset management and related works. Any security breach of such asset management system could lead to loss or leak of employee information, work data and other important data. Therefore, the security should be improved. This thesis analyzed source codes using Sparrow to eliminate security weakness of the asset management system and found 162 security weaknesses. Among them, seven were out of 47 items listed in the software security weakness diagnosis guideline provided by the MOGAHA and three were found from the security weakness items offered by CWE, CERT, OWASP and Sparrow. This thesis eliminated the security weakness by referring to the security weakness elimination techniques that the MOGAHA and Sparrow provided as way to remove the identified security weaknesses and confirmed that all security weaknesses were removed.