為了方便應用程式的佈署，現在企業的應用程式多半以網頁為基礎。而網頁應用程式安全檢測，正是確保網頁應用程式安全的一個重要措施。在許多企業紛紛要求系統上線前要先通過網頁應用程式檢測時，如何能夠建立一個標準的檢測程序，以能夠確保網頁應用程式檢測的品質，就成為一個相當重要的議題。
有鑑於此，本研究首先依據ISO/IEC 20000建立基本的檢測服務管理制度及流程；而針對網頁應用程式安全檢測的核心流程部分，本研究透過企業控管流程風險(COSO-ERM)的方法，分析可能影響到檢測目標的風險，並設計控制措施管控可能風險，以便確保檢測的品質。而本研究之標準流程也被國立台灣科技大學資通安全研究與教學中心(TWISC@NTUST)所採用，並獲得委託檢測單位的肯定。相信本文可有助於提供檢測服務的團隊，或是企業內部的檢測團隊，建立其標準檢測程序，而可進一步提升資訊安全。

To simplify the deployment of applications, more and more organizations adopt Web-based architecture to establish their applications recently. Therefore, Web application security becomes more and more important. In this case, Web application security inspection, which finds out vulnerabilities of Web applications, is an important means to ensure Web security. When current organizations usually request Web applications to be inspected before the applications are released, quality of Web application security inspection is critical. In this case, organizations can establish standard procedures to ensure quality of Web application security inspection.
To establish standard procedures for Web application security inspection, this study adapts the ISO / IEC 20000 standard as basis to establish procedures to address general quality assurance procedures. . Furthermore, focusing on core Web application security inspection processes, this study first uses the Enterprise Risk Management (COSO-ERM) approach to analyze the risks that may influence the goals of Web application inspection. Moreover, we design the countermeasures to control possible risks in order to ensure the quality of inspection result.
The inspection process for Web application was adopted by Taiwan Information Security Center at National Taiwan University of Science and Technology (TWISC@NTUST). TWISC@NTUST has performed several Web application security inspection services and received appreciation from clients. We believe this study can contribute to provide guidelines for software security inspection service providers to establish their standard procedures to ensure quality of services.

[1] Chess, B. and McGraw, G. “Static Analysis for Security,” IEEE Security and Pri-vacy (2), 2004, pp. 76-79.
[2] Martin, B., Brown, M., Paller, A., Kirby, D. and Christey, S. “2010 CWE/SANS Top 25 Most Dangerous Programming Errors”, Web Page. cwe.mitre.org/top25, 2010.
[3] Parnas, D. L. and Lawford, M. “The Role of Inspection in Software Quality As-surance,” IEEE Trans. Softw. Eng. (29), 2003, pp. 674-676.
[4] McGraw, G. “Automated Code Review Tools for Security,” Computer (41), 2008, pp. 108-111.
[5] “IEEE standard for software reviews”, IEEE Std 1028-1997 , 1998, pp. viii+37.
[6] ISO/IEC, “Information technology - Service management - Part 1 - Specification,” ISO/IEC 20000:2005 International Standard, 2005.
[7] Joseph, F. and MacDonald, N. “Magic Quadrant for Static Application Security Testing,” Gartner RAS Core Research Note G00164100, 2009.
[8] Koziol, J., Litchfield, D., Aitel, D., Anley, C., Eren, S., Mehta, N. and Hassell, R. The Shellcoder's Handbook: Discovering and Exploiting Security Holes, John Wiley & Sons, 2004..
[9] Oh, J.-S. and Choi, H.-J. “A Reflective Practice of Automated and Manual Code Reviews for a Studio Project” Proceedings of the Fourth Annual ACIS Interna-tional Conference on Computer and Information Science, IEEE Computer Society, Washington, DC, USA, 2005, pp. 37-42.
[10] Hubbard, L. D. “Assessing risk: the ORCA risk assessment framework provides internal auditors with a starting point for understanding their role in the process - Back to Basics,” Institute of Internal Auditors, Inc. HighBeam Research, 2002.
[11] Howard, M. “A Process for Performing Security Code Reviews,” IEEE Security and Privacy (4), 2006, pp. 74-79.
[12] Mit, M. E. and Ernst, M. D. ”Static and Dynamic Analysis: Synergy and Duality,” In WODA 2003: ICSE Workshop on Dynamic Analysis, 2003, pp. 24-27.
[13] Fagan, M. E. “Design and code inspections to reduce errors in program devel-opment,” IBM Syst. J. (38), 1999, pp. 258-287.
[14] OWASP, “OWASP Top Ten: The Ten Most Critical Web Application Security Vulnerabilities,” OWASP - The Open Web Application Security Project, 2010.
[15] OWASP, “OWASP Top Ten: The Ten Most Critical Web Application Security Vulnerabilities,” OWASP - The Open Web Application Security Project, 2007.
[16] Stewart, R. and Priven, L. “How to Avoid Software Inspection Failure and Achieve Ongoing Benefits,” The Journal of Defense Software Engineering (21), 2008, pp. 23-27.
[17] Artzi, S., Kiezun, A., Dolby, J., Tip, F., Dig, D., Paradkar, A. and Ernst, M. D. “Finding bugs in dynamic web applications,” Proceedings of the 2008 international symposium on Software testing and analysis, ACM, New York, NY, USA, 2008, pp. 261-272.

[18] Bell, T. “The concept of dynamic analysis,” Proceedings of the 7th European software engineering conference held jointly with the 7th ACM SIGSOFT interna-tional symposium on Foundations of software engineering, Springer-Verlag, Lon-don, UK, 1999, pp. 216-234.
[19] Lederer, A. L., Mirchandani, D. A. and Sims, K. “The Search for Strategic Ad-vantage from the World Wide Web,” Int. J. Electron. Commerce (5), 2001, pp. 117-133.
[20] Common Vulnerabilities Exposures, http://www.cve.mitre.org/.
[21] 中華民國法務部, “個人資料保護法,” 2010.
[22] NetCraft, http://news.netcraft.com/archives/category/web-server-survey/.
[23] Ackerman, A., Buchwald, L. and Lewski, F. “Software inspections: an effective verification process,” Software, IEEE (6:3), 1989, pp. 31-36.
[24] McGraw, G. Software Security: Building Security In, Addison-Wesley Profes-sional, 2006.
[25] COSO, Enterprise risk management - integrated framework, COSO Publicaions, 2004.
[26] Sarbanes-Oxley, http://www.sarbanes-oxley.com/.
[27] Spehar, G. “Dispelling the myths about Static Analysis,” Full Knowledge LLC., 2005.
[28] Moser, R., Pedrycz, W. and Succi, G. “A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction,” Proceedings of the 30th international conference on Software engineering, ACM, New York, NY, USA, 2008, pp. 181-190.
[29] Ilkka, T., Iisakka, J., Jouni, K. and Paula, H. “Quality Knowledge Capturing and Reuse in Software Inspection,” Second World Congress for Software Quality, Yo-kohama, 2000, pp. 187-192.
[30] Harjumaa, L., Tervonen, I. and Vuorio, P. “Improving Software Inspection Process with Patterns” Proceedings of the Quality Software, Fourth International Conference, IEEE Computer Society, Washington, DC, USA, 2004, pp. 118-125.
[31] Tervonen, I., Iisakka, J. and Harjumaa, L. “Looking for Inspection Improvements Through the Base Practices”.
[32] Land, L., Tan, B. and Bin, L. “Investigating training effects on software reviews: a controlled experiment,” Empirical Software Engineering, 2005. 2005 Interna-tional Symposium on, 2005, pp. 356-366.
[33] Gramopadhye, A., Bhagwat, S., Kimbler, D. and Greenstein, J. “The use of ad-vanced technology for visual inspection training,” Applied Ergonomics (29), 1998, pp. 361-375.
[34] Araujo, R. and Curphey, M. “Software Security Code Review: Code Inspection Finds Problems,” The Software Decision Journal, 2005.
[35] Long, H. M. and Trivisani, K. “A Blueprint for Handling Sensitive Data: Securi-ty, Privacy, and Other Considerations,” Higher Education Information Security Council (HEISC), Washington, DC, 2007.
[36] ISO/IEC, “Information technology – Security techniques – Code of practice for information security management,” ISO/IEC 27002:2005 International Standard, 2005.
[37] Fortify, https://www.fortify.com/products/fortify360/source-code-analyzer.html.
[38] OWASP, https://www.owasp.org/index.php/Taiwan.
[39] Chaar, J. K., Halliday, M. J., Bhandari, I. S. and Chillarege, R. “In-Process Evaluation for Software Inspection and Test,” IEEE Trans. Softw. Eng. (19), 1993, pp. 1055-1070.
[40] Mishra, D. and Mishra, A. “Simplified software inspection process in compliance with international standards,” Comput. Stand. Interfaces (31), 2009, pp. 763-771.