پایان نامه کارشناسی ارشد نرم افزار تحت عنوان ارائه چارچوبی جهت شناسایی حفره های امنیتی نرم افزار
Master Thesis in Computer Engineering-Software
Subject
A Framework for Identifying Software
Vulnerabilities
sources
[1] E. Pierre, J. Arnold, AVA_VAN.2 – Performing Vulnerability Analysis under
CCv3, SAIC, 2008
[2] http://nvd.nist.gov/nvd.cfm
[3] http://www.cert.org
[4] http://cve.mitre.org
[5] P. Meunier, Classes of Vulnerabilities and Attacks, Wiley Handbook of Science and
Technology for Homeland Security, 2008
[6] M. Howard, D. LeBlance, J. Viega, 24 Deadly Sins of Software Security, McGraw-
Hill, 2010
[7] http://www.first.org/CVSS/
[8] http://www.27000.ir
[9] A. Agrawal, R.A. Khan, A Framework to Detect and Analyze Software
Vulnerabilities –Development Phase Perspective-, International Journal of Recent
Trends in Engineering, 2009
[10] J.D. Howard, P. Meunier, Using a “common languages” for computer incident
security information, Computer Security Handbook, Chapter3, John Wiley and Sons
publishers, 2002
[11] P. Mell, K. Scarfone, S. Romanosky, A Complete Guide to the Common
Vulnerability Scoring System Version2.0, 2007
[12] F. Piessens, A Taxonomy of causes of software vulnerabilities in internet software,
Supplementary Proceedings of the 13th International Symposium on Software
Reliability Engineering, 2002
88
[13] S. Weber, P.A. Karger, A. Paradkar, A software flaw taxonomy: Aiming tools at
security, Software Engineering for Secure Systems (SESS’05), 2005
[14] ISO 7498:1984 Open Systems Interconnection – Basic Refrence Model
[15] M. Howard, S. Lipner, The Security Development Lifecycle: SDL: A Process for
Developing Demonstrably More Secure Software, Microsoft Press, 2006
[16] OWASP, "CLASP: Comprehensive Lightweight Application Security Process",
http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, 2006
[17] Flechais, I., "Designing Secure and Usable Systems", Ph.D. Thesis, University of
London, London, UK, 2005
[18] http://www.microsoft.com/downloads/
[19] Bart De Win, Riccardo Scandariato, Koen Buyens, Johan Grégoire, Wouter Joosen,
“On the secure software development process: CLASP, SDL and Touchpoints
Compared”, Information and Software Technology 51, 2009
[20] http://www.saintcorporation.com/
[21] I. Jacobson, Object-Oriented Software Engineering: A Use Case Driven Approach,
Addison-Wesley, 1992
[22] Asoke K. Talukder, Manish Chaitannya, Architecting Secure Software Systems,
CRC Press, 2009
[23] Song Ho Kim, Choon Seong Leem, A Case Study in Applying Common Criteria to
Development Process to Improve Security of Software Products, Springer-Verlag Berlin
Heidelberg, 2004
[24] ISO/IEC 15408-3: Common Criteria for Information Technology Security
Evaluation, Version3.1, Revision3, Part3: Security assurance components, July, 2009
[25] Common Methodology for Information Technology Security Evaluation,
Evaluation methodology, Version3.1, Revision3, July, 2009
[26] ISO/IEC 15408-2: Common Criteria for Information Technology Security
Evaluation, Version3.1, Revision3, Part1: Introduction and general model, July, 2009
89
A Framework for Identifying Software Vulnerabilities
Abstarct
Considering the fast development of Software and their complexity, the requirement of
supplying their security has faced new aspects. The more the software become complex
and access rate of the rises, the new approaches to attack and access or manipulate their
data is being created. Therefore creating a new approach in order to detect software
vulnerability is essential. Different studies has proved that in case of considering
security in late phases of software production and testing to mitigate software
vulnerabilities, will be time consuming and complex and it is probable that it couldn’t
supply the security completely. So, by considering security issue from the early phases
of software production is essential.
In this thesis, a framework is being presented in order to identify software vulnerability,
taking advantage of common criteria (ISO/IEC 15408) standard and CVE (Common
Vulnerabilities and Exposures), identifying security holes of software is done in every
phase of software life cycle. So that the process of secure software production improves
and software with less vulnerability is being produce.
Keywords
Software Vulnerability, Common Criteria, CVE, CVSS, Secure Software
|