Classification Criteria and Application Methodology for Evaluating IT Security Products (정보보호제품 평가 위한 취약점 분류체계 및 적용방안 )

방기석; 김일곤; 이지연; 이준석; CHOIJinYoung (최진영)

Classification Criteria and Application Methodology for Evaluating IT Security Products

Journal of Knowledge Information Technology and Systems
Abbr : JKITS
2011, 6(5), pp.105-112
Publisher : Korea Knowledge Information Technology Society
Research Area : Interdisciplinary Studies > Interdisciplinary Research
Published : October 31, 2011

방기석 ¹, 김일곤 ², 이지연 ³, 이준석 ³, CHOIJinYoung ⁴

¹한림대학교
²한국인터넷진흥원
³동남보건대학교
⁴고려대학교

Candidate

ABSTRACT

CC(Common Criteria) requires to collect vulnerability information and vulnerability analysis by using penetration testing for evaluating IT security products. However, CC has been criticized from developers or QA managers due to its complexity of terms, abstract description of evaluation methods and non-existence of guidelines. In this paper, we propose a guideline of vulnerability assessment for developers and evaluators by analyzing and summarizing of its requirements and processes defined in CC. To do this, we classify the evaluation process of AVA assurance family into 4 parts and describe each evaluation working systematically unit under every steps.

KEYWORDS

Common Criteria, Vulnerability Classification, AVA

Citation status

* References for papers published after 2023 are currently being built.

[web] / [알아봅시다] 스턱스넷 : 국가기간망 공격 / http://www.dt.co.kr/contents.html?article_no=2010100702011860739002

[other] / 2006 / Common Criteria for Information Technology Security Evaluation, Ver 3.1, CCMB-2006-09-03

[report] Committee on Government ReformHouse of Representatives / 2003 / Exploring Common Criteria: Can it assure that the federal government gets needed security in software?

[other] / ISO/IEC International Standard(IS) 15408, Parts 1,2,3, Aug. 1999

[web] / CVE / http://cve.mitre.org

[web] / CWE / http://cwe.mitre.org

[web] / CAPEC / http://capec.mitre.org

[confproc] K. Tspipenyuk / 2005 / Seven Pernicious Kingdom:s: A Taxonomy of Software Security Errors / Proc. of the NIST Workshop of Software Security Assurance Tools, Techniques, andMetrics(SSATTM)

[journal] 이진영 / 2009 / CWE와 7PK 취약점 분류 비교 / 정보과학회 학슬발표 논문집 36(2(D))

[journal] 김동진 / 2010 / 국가 DB 기반의 국내외 보안 취약점 관리체계 분석 / Internet and Information Security 1(2) : 130~147

[web] / OWASPTOP10,-2010:Thetenmost criticalwebapplicationseurityrisks / http://oval.mitre.org/oval/documents/docs-06/an-introductoin_to_the_oval_language.pdf

[web] / NVD / http://nvd.nist.gov

[journal] 조혜숙 / 2007 / 공통평가기준 v2.3과v3.1 비교 분석 / 정보과학회지 17(6)

[web] / SecurityFocus / http://www.securityfocus.com

[web] / Exploit-db / www.exploit-db.com

[web] / Citrix XenServer / http://www.citrix.com/xenserver

[web] / Citrix MetaFrame Presentation Server 3.0 / http://support.citrix.com/article/CTX106319

[journal] 김동진 / 2010 / 정보 신기술 보안 취약점 활용을 위한 효율적인 취약점 관리체계 / 정보과학회 학술발표논문집 37(2(B))

KJCKorea
Journal Central

Journal of Knowledge Information Technology and Systems 2023 KCI Impact Factor : 0.89