簡易檢索 / 詳目顯示

回結果列表
研究生: 王仁庭
Jen-ting Wang
論文名稱: 支援網頁應用程式檢測輔助系統之設計與實作
On Design and Implementation of a Supporting System for Web Application Inspection
指導教授: 查士朝
Shi-cho Cha
口試委員: 蔡益坤
Yih-kuen Tsay
羅乃維
Nai-wei Lo
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理系
Department of Information Management
論文出版年: 2011
畢業學年度: 99
語文別: 中文
論文頁數: 63
中文關鍵詞: 原始碼檢測檢測流程流程輔助工具
外文關鍵詞: source code inspection, inspection processes, process support tool
相關次數: 點閱:198下載:10
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 為確保軟體安全,許多單位提供軟體安全檢測的服務。而因為目前檢測工具技術的發展仍需要檢測人員執行檢測工作,因此檢測單位會需要建立一套標準的檢測流程,來維護檢測服務品質。
    為了正確執行標準檢測流程,並降低檢測人員在執行檢測流程時的疏失及作業成本,本研究設計並且實作一套資訊系統,來協助提供檢測服務的組織執行檢測流程。此系統的設計重點主要是要落實檢測流程的各項控制重點,並且統計出檢測時的相關績效指標供管理人員做決策時的依據。而本研究的研究成果也可望貢獻於提供所提出之軟體安全檢測支援系統設計與架構給進行參考,以提升確保其檢測品質。

    To ensure security of applications, many organizations provide third-party software security inspection service. Because current software security inspection tools cannot analyze applications automatically, organizations usually establish standard procedures to reduce incidents of human ignorance and ensure quality of inspection services.
    This study proposes an information system to support inspection service providers. The system enforces people to leave evidences while performing inspecting tasks to prove that they comply with inspection processes of associated organizations. Therefore, organizations that request others to perform software security inspection services can make sure quality of the inspection services. In addition, the organizations can measure effectiveness and efficiency of the processes for further improvement. The result of this thesis can hopefully contribute for organizations providing software security inspection services to establish information systems to support their software security inspection services efficiently and effectively.

    一、簡介 1 1.1背景與動機 1 1.2目的與研究貢獻 2 1.3論文架構 3 二、文獻探討 4 2.1檢測流程 4 2.2檢測流程輔助工具 12 2.3落實控制重點 17 2.4軟體安全保證工具度量 22 三、研究方法 24 四、網頁應用程式檢測輔助系統功能需求與分析 26 4.1情境說明 26 4.2問題定義與需求分析 29 4.3功能模組 32 4.4績效指標設計 36 4.5採用本系統支援檢測流程 42 4.6主要元件 46 五、系統功能展示與應用 48 5.1系統功能展示 48 5.2系統應用 54 六、結論與建議 60 6.1結論 60 6.2建議 60 七、參考文獻 62

    [1] Black, P. "Software assurance metrics and tool evaluation" In Proceedings of the 2005 International Conference on Software Engineering Research and Practice, 2005.
    [2] Black, P. and Fong, E. "Proceedings of Defining the State of the Art in Software Security Tools Workshop," NIST Special Publication 500-264, November 2005.
    [3] Evans, D. L., Bond, P. J., Bement , A. L. "Standards for Security Categorization of Federal Information and Information Systems", NIST Federal Information Processing Standards (FIPS) 199, February 2004 .
    [4] Caivano, D., Lanubile, F., Visaggio, G. "Scaling up Distributed Software Inspection” In Proceedings of the ICSE Workshop on Software Engineering over the Internet, 2001.
    [5] Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A. and Robinson, W. “Performance measurement guide for information security”, NIST Special Publication 800-55, July 2008.
    [6] Fagan, M. E. "Design and code inspections to reduce errors in program development", IBM Systems Journal, 1976, pp. 182 -211.
    [7] Harjumaa, L. and Tervonen, I. "Virtual Software Inspections over the Internet", Proc. of the 3rd ICSE Workshop on Software Engineering over the Internet, Limerick, Ireland ,2000, pp. 30-40.
    [8] Hedberg, H. "Introducing the Next Generation of Software Inspection Tools", in Product Focused Software Process Improvement (LNCS 3009), 2004, pp. 234-247.
    [9] Macdonald, F. and Miller, J. "A Comparison of Computer Support Systems for Software Inspection", Automated Software Engineering, July 1999, pp. 291-313.
    [10] Macdonald, F., Miller, J., Brooks, A., Roper, M. and Wood, M. "A Review of Tool Support for Software Inspection”, Proceedings of the Seventh International Workshop on Computer-Aided Software Engineering, Washington, DC, USA, 1995.
    [11] Martin, B., Brown, M., Paller, A. and Kirby, D. "CWE - 2011 CWE/SANS Top 25 Most Dangerous Software Errors", http://cwe.mitre.org/top25/, June 2011.
    [12] Ross, R. “Recommended security controls for federal information systems and organizations”, NIST Special Publication 800-53, Auguest 2009.

    [13] Sapsomboon, B. Software Inspection and Computer Support, Department of Information Science and Telecommunications School of Information Sciences University, 1999.
    [14] Sauer, C., Jeffery, D., Land, L. and Yetton, P. "The effectiveness of software development technical reviews: a behaviorally motivated program of research", IEEE Transactions on Software Engineering, 2000, pp. 1 -14.
    [15] Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J. "Guide for Mapping Types of Information and Information Systems to Security Categories", NIST Special Publication 800-60, Auguest 2008.
    [16] Tervonen, I., Iisakka, J. and Harjumaa, L. "Software Inspection - a Blend of Discipline and Flexibility", Proceedings of the ESCOM-ENCRESS conference, 1998, pp. 157-166.
    [17] Weller, E. F. "Lessons from Three Years of Inspection Data," IEEE Software (10), 1993, pp. 38-45.
    [18] "Top 10 2010-Main - OWASP", https://www.owasp.org/index.php/Top_10_2010-Main, April 2010.
    [19] "Top 10 2007 - OWASP", https://www.owasp.org/index.php/Top_10_2007, April 2010.
    [20] 查士朝,傅雅萍,吳柏萱,「考量檢測風險之網頁應用程式安全檢測標準流程」,第二十一屆資訊安全會議,雲林,民國100年。

    QR CODE