| The fact having effective security assessment of software can help the developersbalance “development cost” and “security level”, which plays an important role insoftware development. With the improvement of weakness detecting techniques, thesoftware weakness analysis tools can identify a large number of potential securityweaknesses. Furthermore, the analyzing results can be an important basis of assessingsoftware security risks. Therefore, it becomes a significant method to assess softwaresecurity risks with the weakness detecting results.Under this consideration, we proposed and implemented a software securityassessing tool based on weakness detection. First, we build up mapping relationshipon CWE(Common Weakness Enumeration) weakness and security attributes onaccount of software security attributes. Then, we build a security risk assessing modelbased on D-S evidence theory, and propose a software security risk assessing methodtaking weakness detection results into consideration.This model contains riskinformation and computes credible allocation function of the overall software risk,defines corresponding security risk level after that, and show effectiveness through anapplication instance. Finally, we design and implement a security risk assessing toolbased on weakness detection.The method and the platform tool we offer can effectively assist securitypersonnel with evaluating software security risk using weakness detection results andimprove the comprehensiveness, accuracy and efficiency of assessing results. Therebyit does a lot favor with the promotion of software security. |
PDF Full Text Request