| Software is an indispensable part in our daily use of computer. Nowadays, as the development of the computer and Internet technology, software is faced with more and more security threats, which bring security risk to software companies and endusers. Therefore, the security problem of software is broadly concerned right now.From the perspective of software companies, In order for software to deal with current security threats, they must develop software products with higher security. So, their focus of the software security problem is "How to develop software products with high security?" Unfortunately, the traditional software development methodologies used in software engineering, such as waterfall model, spiral model and incremental model, do not concern about security. Therefore, these methodologies cannot make software more secure, and need security reform.To resolve this problem, the main work of this paper is proposing a revised software security development methodology basing on Security Development Lifecycle (SDL) which is suitable for small and medium organizations. This methodology covers whole lifecycle of software with security focus, and raises the security level of software products. Two techniques used in the methodology during test phase and release phase are discussed detailedly. In this paper we also design and implement a software security development management system, in order for companies to apply the methodology better. After a period time of trail in some organizations, this system received good rate. The chiefly achievements of this paper are as follows:1. This paper summarizes the security threats which software faced with from two aspects, copyright protection and security vulnerabilities.2. The chiefly software security development methodologies are introduced in this paper. Comparison and Analysis of them are also performed.3. Currently, the chiefly software security development methodologies do require a resource investment, and this brings a barrier for small organizations to apply them. Basing on this situation, this paper proposes a revised software security development methodology basing on SDL which is suitable for small and medium organizations. This methodology covers whole lifecycle of software with security focus. And accompanying with copyright protection technique, the intellectual property rights of software is protected while the security level is raised.4. Basing on the dependency among the data during the execution of software, this paper presents a concept of Dynamic Data Dependency Graph (D3G). Consulting current software watermarking algorithm, the D3G-based dynamic software watermarking algorithm is illustrated. This algorithm can be applied in release phase of software products, and it is proved with experiment that this algorithm is resilient to obfuscating attack.5. This paper presents a static analysis warnings prioritizing algorithm basing on three metrics of class measuring. This Algorithm ranks the warnings according to its importance, actionable warnings get a higher rank while false positive and trivial warnings get lower one. We believe this algorithm makes the user of static analysis tools more effective in decide which warning is going to be fixed.6. A method of software security analysis with D3G is proposed. And then presents dynamic software protecting algorithm, which has the feature of zero-false-positive, and the dynamic software protecting model for Java applications. This model can be applied in test phase and release phase of software products. It is proved with experiment that the model can inspect the security vulnerabilities during software execution, and can protect software against the attack utilizing the vulnerabilities.7. In this paper we design and implement a software security development management system, in order for companies to apply the methodology better and raise the security of software products.
|
PDF Full Text Request