(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, 2011
CVE to be ready for the next step. Then CVSS gives a scorefor identified vulnerabilities, whereas this score assigns therisk of the vulnerability. Now with the obtained value, wecheck if the product of this phase is vulnerable or not. If thisproduct is not vulnerable, it is considered secured, otherwise itenters in vulnerability mitigation step, and then again has beenchecked, whether applied mechanism has led to mitigatingvulnerabilities or not.
Figure 1. The Framework for Identifying Software Vulnerabilities withinSDLC Phases
We briefly will explain the different sections of ourframework as follows:
The first step in our framework is SDLC. The SDLCshows different phases of the software development life cyclethat consist of requirements, design, implementation, test andmaintenance. In each cycle, a product of a software life cyclephase or a resultant product in SDLC, will enter thevulnerability life cycle. If in the vulnerability life cycle it isdetected as vulnerable product, then will perform vulnerabilitymitigating procedures, and will re-enter the vulnerability lifecycle as a product of SDLC. After all, if we will be ensuredthat our product is secured, this product will enter the nextphase of software development life cycle, and eventually thefinal product will result.One of the vulnerability classifications is based on SDLCphase in which a vulnerability type could be introduced .This states that the specific vulnerabilities of each phase areknown. But we must note that all of vulnerabilities in SDLCphases are not known, and various vulnerabilities will beidentified by a method, which will be explained later.
Vulnerability Life Cycle1)
Common Criteria & CVE Components
In our framework, the requirements of AVA_VAN familyare as follows:
We use CVE database to search for public domainresources to identify potential vulnerabilities in theTOE.
We use individual phases of SDLC to analyze of theevidence evaluation in older to identify potentialvulnerabilities in the TOE.Various phases of SDLC will be evaluated in thesecomponents as follows:
The requirements phase: in this phase, we first extract therequirements of the software. Also in this phase we needto extract security requirements, so we can identifysecurity violations and vulnerabilities by AVA_VANclass. Then we can use misuse/use case  or UMLSecdiagrams .
The design phase: in this phase, we integrate the securityrequirements in software design. For this purpose, we canalso use UMLSec diagrams. Thereby, we can detectsoftware weaknesses, and then identify vulnerabilities byCC evaluators.
The implementation phase: in this phase, the code hasbeen written in a programming language. There arevarious programming languages in software engineeringindustry that everyone has its specific characteristics.Each of these languages has weaknesses that may beabused. Here the code of the program has been reviewedand evaluated by CC evaluator, whether it is vulnerable ornot. For this purpose, CC evaluator use methods such aspenetration test.
The test and maintenance phase: in this phase, softwareprogram has been executed and tested. In some casesthere are vulnerabilities, which have been appeared duringprogram execution by users. These vulnerabilities mayhave existed in earlier phases, but have not seen, or thisphase has been observed. Again in this phase, CCevaluators use AVA_VAN class to evaluatevulnerabilities.
This system would assign a score to any vulnerability. Thisscore represents a real risk of vulnerability for data andinformation, and the priority can be done by it. Commonvulnerability Scoring system (CVSS) consists of three metrics: Base Metrics, Temporal Metrics, and EnvironmentalMetrics. The numerical value has been assigned to anyvulnerability by these metrics that called severity. Severityvalue indicates the risk level or the threat of vulnerability.We have categorized the obtained severity as follows: