(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, 2011
A Framework for Identifying Software Vulnerabilitieswithin SDLC Phases
Zeinab Moghbel
Department of Computer EngineeringScience and Research Branch, Islamic Azad UniversityTehran, Iran
Nasser Modiri
Department of Computer EngineeringZanjan Branch, Islamic Azad UniversityZanjan, Iran
Abstract
—Considering the fast development of software and itscomplexity, the requirement of securing has faced new aspects.The more the software becomes complex and its access rate rises,a creative technique is being created to attack, access, ormanipulate its data. Therefore, creating a new approach in orderto detect software vulnerability is essential. Various studies haveproved that in case of considering security in late phases of software development and testing to mitigate softwarevulnerabilities, will be time consuming and complex, and it isprobably that it couldn’t supply the security completely. So,taking into account the security issue from the early phases of software development is essential.In this paper, we propose a framework in order to identifysoftware vulnerability. In this framework, we use commoncriteria standard (ISO/IEC 15408) and CVE (CommonVulnerabilities and Exposures) to identify software vulnerability,which is done in every phase of the software development lifecycle. Therefore, the process of secure software development willbe improved, and software with less vulnerability will beproduced.
Keywords- Software vulnerability; Common Criteria (CC);Common Vulnerabilities and Exposures (CVE); CommonVulnerability Scoring System (CVSS); secure software
I.
I
NTRODUCTION
Nowadays the software has been developed in differentfields, so that various issues have been taken into account.Worldwide improvement of software either in terms of sizeand complexity or in terms of wide applications causes that thesoftware faces important demands. However, while thesoftware security that has been considered, but the incidenceof new security violations and modern technologiesdevelopment in software engineering has led to varioussecurity aspects to be considered.Different definitions of security are expressed [1-3], but theoverall concept of security can be described as follows:prevention of unauthorized access and illegal datamanipulation. So the purpose of security is data protection toavoid disclosure and change it. Several layers of security havebeen suggested than ever [4, 5]. And many researches andstudies have done on these layers. One of most importantlayers is software layer. Studies have shown that manysecurity breaches have occurred because of code flaws or notto cover some issues in designing software [6]. In other words,most security violations have occurred due to vulnerability insoftware. Software vulnerability is a weakness or flaw that canbe exploited [1]. Vulnerabilities may be intentionally orunintentionally. Since many vulnerabilities are unwanted andunintentional, we must find a way to detect thesevulnerabilities and avoid happening them.At the beginning of software engineering industry, softwaresecurity was being considered in late phases of softwaredevelopment, and usually was being checked in test phase. Butwith the increasing complexity of software and existence of strong aims and motivations in order to violate security,securing has faced problems. Hence, engineers have decidedto integrate security in the early phases of softwaredevelopment. Thus, various processes were created tointegrate security areas into SDLC and to produce securesoftware such as SDL [7], CLASP [8] and Touchpoints [2]. Inthese processes, security areas such as threat modeling, risk management or secure coding have been combined together inthe process [9]. In another paper SVDAF [10] framework isintroduced. SVDAF detects and removes vulnerabilities ineach phase in order to produce secure software. Vulnerabilitydetection and analysis has been done by checklists in eachphase of SDLC, after the vulnerabilities are removed, securesoftware is produced. Unfortunately, this framework still hasnot been implemented and tested.
203http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, 2011
In our framework, we use standard methods to identify anddetect software vulnerabilities in each phase of SDLC, so theaccuracy of our methods would be guaranteed. One of thesestandards is Common Criteria. Common Criteria standard(ISO/IEC 15408) [11] assures the security by means of executing security performance evaluation processes. Also weuse Common Vulnerabilities and Exposures (CVE) [12] tocontribute in Common Criteria. CVE have been used toidentify known vulnerabilities in software. After identifyingsoftware vulnerabilities, we must determine that output of each SDLC phase is vulnerable or not. For this purpose, weuse Common Vulnerability Scoring System (CVSS). CVSS[13] assigns a number or score to any vulnerability, whichindicates its risk.The paper is organized as follows: in section 2 we explainCommon criteria standard briefly. In section 3 we describeCVE. In section 4 we introduce our proposed framework toidentify software vulnerabilities in SDLC. Finally, in section 5we present conclusions and suggestions for future work.II.
C
OMMON
C
RITERIA
S
TANDARD
(CC)Common Criteria standard (ISO/IEC 15408) is one of theknown standards for security evaluation of IT products. Thisstandard offers a series of classes and predefined packages fororganizations that will help them to develop their products atcertain levels of security and prepare them for CC audit.Classes are the most general grouping of securityrequirements. This means that all members of a classconcentrate on a particular security process. Every classrefined into one or more families, which each familyconcentrates on the part of the security process. Every familyconsists of one or more components and each component has aset of individual elements. The result of CC evaluation hasbeen shown as certain levels, which are called EvaluationAssurance Level (EAL). EALs begin from EAL-0 that meanslow-assurance and end at EAL-7 namely highest level of assurance.Common Criteria standard consist of three parts:Part 1: Introduction and general model [14],Part 2: Security functional components [15], andPart 3: Security assurance components [16].Part 1 and part 2 include of background information,reference objectives and guide the process of settingrequirements for security operations. Part 3 performs securityevaluations of IT products and assures security. In this paper,we will concentrate on part 3.Six classes for part 3 are defined, that we use Class AVA(Vulnerability Assessment) in order to identify softwarevulnerabilities. This class is an assessment that determineswhether potential vulnerabilities could allow the attacker toviolate security functional requirements or not. Thesevulnerabilities have been detected during evaluation of thedevelopment and anticipated operation of the TOE (Target of Evaluation) or by other methods (e.g. by flaw hypotheses,quantitative or statistical analysis of the security behavior of the underlying security mechanism).This class only includes of AVA_VAN (VulnerabilityAnalysis) family. The AVA_VAN requirements mentioned asin [17] include:
Search for public domain resources to identifypotential vulnerabilities in the TOE.
Analysis of evidence evaluation to identify potentialvulnerabilities in the TOE.
Performance of penetration test to identify that theTOE can avoid penetrations, which are expected byan attacker or not.
Flaw HypothesesIn our proposed framework, we will introduce equivalentcases for AVA_VAN requirements.III.
C
OMMON
V
ULNERABILITIES AND
E
XPOSURES
(CVE)CVE system provides a reference method for informationsecurity vulnerabilities which are generally known. Thissystem determines a conventional and standard naming forvulnerabilities. In fact, CVE is the database of knownvulnerabilities and standard description of thesevulnerabilities, such that known software vulnerabilities canbe identified by it. This system is a tool for identifying andclassifying vulnerabilities based on either at design,architecture or coding phase has appeared.In fact, CVE uses Common Weakness Enumeration (CWE).CWE [18] is a classification mechanism, which distinguishcommon weaknesses by showing types of vulnerability. Thismeans that CWE has classified software weakness in threecategories: architecture, design, or implementation andexecution. Hereby, detecting and identifying knownvulnerabilities in various phases of SDLC become easier, andthis procedure helps CC evaluator to identify softwarevulnerabilities faster and better.IV.
T
HE
P
ROPOSED
F
RAMEWORK
Our framework is depicted in Fig.1, its aims to identifysoftware vulnerabilities in every phase of SDLC. In eachcycle, the input of this framework is one of SDLC phases,which then enter in vulnerability life cycle and determinewhether the product of this phase is vulnerable or not. Invulnerability life cycle, the first step is to search and detectvulnerabilities. In fact, it performs this step by CommonCriteria standard and cooperates with vulnerability database
204http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, 2011
CVE to be ready for the next step. Then CVSS gives a scorefor identified vulnerabilities, whereas this score assigns therisk of the vulnerability. Now with the obtained value, wecheck if the product of this phase is vulnerable or not. If thisproduct is not vulnerable, it is considered secured, otherwise itenters in vulnerability mitigation step, and then again has beenchecked, whether applied mechanism has led to mitigatingvulnerabilities or not.
Figure 1. The Framework for Identifying Software Vulnerabilities withinSDLC Phases
We briefly will explain the different sections of ourframework as follows:
A.
SDLC Component
The first step in our framework is SDLC. The SDLCshows different phases of the software development life cyclethat consist of requirements, design, implementation, test andmaintenance. In each cycle, a product of a software life cyclephase or a resultant product in SDLC, will enter thevulnerability life cycle. If in the vulnerability life cycle it isdetected as vulnerable product, then will perform vulnerabilitymitigating procedures, and will re-enter the vulnerability lifecycle as a product of SDLC. After all, if we will be ensuredthat our product is secured, this product will enter the nextphase of software development life cycle, and eventually thefinal product will result.One of the vulnerability classifications is based on SDLCphase in which a vulnerability type could be introduced [19].This states that the specific vulnerabilities of each phase areknown. But we must note that all of vulnerabilities in SDLCphases are not known, and various vulnerabilities will beidentified by a method, which will be explained later.
B.
Vulnerability Life Cycle1)
Common Criteria & CVE Components
In our framework, the requirements of AVA_VAN familyare as follows:
We use CVE database to search for public domainresources to identify potential vulnerabilities in theTOE.
We use individual phases of SDLC to analyze of theevidence evaluation in older to identify potentialvulnerabilities in the TOE.Various phases of SDLC will be evaluated in thesecomponents as follows:
•
The requirements phase: in this phase, we first extract therequirements of the software. Also in this phase we needto extract security requirements, so we can identifysecurity violations and vulnerabilities by AVA_VANclass. Then we can use misuse/use case [20] or UMLSecdiagrams [21].
•
The design phase: in this phase, we integrate the securityrequirements in software design. For this purpose, we canalso use UMLSec diagrams. Thereby, we can detectsoftware weaknesses, and then identify vulnerabilities byCC evaluators.
•
The implementation phase: in this phase, the code hasbeen written in a programming language. There arevarious programming languages in software engineeringindustry that everyone has its specific characteristics.Each of these languages has weaknesses that may beabused. Here the code of the program has been reviewedand evaluated by CC evaluator, whether it is vulnerable ornot. For this purpose, CC evaluator use methods such aspenetration test.
•
The test and maintenance phase: in this phase, softwareprogram has been executed and tested. In some casesthere are vulnerabilities, which have been appeared duringprogram execution by users. These vulnerabilities mayhave existed in earlier phases, but have not seen, or thisphase has been observed. Again in this phase, CCevaluators use AVA_VAN class to evaluatevulnerabilities.
2)
CVSS Component
This system would assign a score to any vulnerability. Thisscore represents a real risk of vulnerability for data andinformation, and the priority can be done by it. Commonvulnerability Scoring system (CVSS) consists of three metrics[13]: Base Metrics, Temporal Metrics, and EnvironmentalMetrics. The numerical value has been assigned to anyvulnerability by these metrics that called severity. Severityvalue indicates the risk level or the threat of vulnerability.We have categorized the obtained severity as follows:
205http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
A Framework for Identifying Software Vulnerabilities within SDLC Phases
Considering the fast development of software and its complexity, the requirement of securing has faced new aspects. The more the software becomes complex and its access rate rises, a creative technique is being created to attack,…
(More)
530
Reads
0
Readcasts
0
Embed Views
More From This User
Notes
Load more
