以高品質安全軟體開發製程改善軟體安全品質之研究

A Study of High Quality Secure Software Development Process for Improving Software Security

 

賴森堂

實踐大學資訊管科技與理學系

大直街70

台北104中山區

stlai@mail.usc.edu.tw

 

Sen-Tarng Lai

Department of Information Technology and Management, Shih Chien University

No.70, Ta-Chih Street,

Taipei 104,Taiwan

stlai@mail.usc.edu.tw

 

 

摘要

以資訊為重心的年代,資訊安全的問題對於人類大環境的影響愈來愈嚴重,網際網路的入侵、病毒攻擊與系統本身的安全漏洞持續危害正常運作的軟體系統,使得資訊系統的安全性受到嚴重的考驗。軟體開發製程經過不斷的演進與改善,已成為一套嚴謹且成熟的軟體開發程序,不過,軟體製程卻極少深入描繪安全品質,使得軟體安全品質無法有效融入產品中,造成上線使用的軟體系統存在高度的安全危機,成為安全軟體建置過程中值得深入探究的課題。為了避免安全缺失與漏洞造成軟體系統難以預期的後果與損失,本文以現有的軟體開發製程為基礎,加強制度、管理、技術等三個層面的安全措施,進而規劃出一套安全軟體開發製程(Secure Software Development Process ; SSDP)於軟體開發初期就能標示出階段性的安全缺失與漏洞,有效提昇軟體系統的安全性,且提出一套安全開發製程品質量測(SSDPQM)模式,有效監控與不斷改善安全開發製程的問題與缺失,確保安全軟體開發製程能夠持續強化軟體系統的安全性。

 

關鍵詞: 軟體安全性、安全漏洞、品質量測模式、安全軟體開發製程、安全管制作業。

 

Abstract

In the information age, information security issues are getting serious to the impact of the human living environment. Network intrusions, virus attacks and system vulnerabilities continue to endanger the normal operation of the software system and severe test the security of software systems. Software process with continuous improvement and evolution has become a rigorous and mature software development model. However, most of software processes very little depth describe the software security, so the security can not be effective injected into the software products. For reducing the software system security risk, secure software development process becomes a worth further exploration topic. According to the related reports, software security vulnerabilities often cause unpredictable consequences and losses. For this, in this paper, based on the current software processes, combine with the system, management and technology three security strategies, propose a Secure Software Development Process (SSDP). Applying the SSDP, the software developer can identify and revise the early stages of security defects and vulnerabilities, to enhance software system security. In addition, in this paper, in order to assure usability of SSDP, proposes a SSDP Quality Measurement (SSDPQM) model. With SSDPQM model, the SSDP operation problems and defects can be effective monitoring and continuous improvement and ensure the SSDP can strengthen the security of the software system.

 

Keywords: Software security, security vulnerability, quality measurement model, SSDP, security control