As security threats increase, the importance of "secure-coding" has grown.
Companies and developers have found vulnerabilities in code development through code review and simulation.
However, it takes a lot of time, so many companies are now benefiting from the use of automated tools.
The problem with our team is that the "test case" used in simulation and automation tools is being updated manually.
With the advent of automation tools, the "test case," which is the basis for diagnosing, has caused a gap between the occurrence of security incidents and the reflection on the source code.
To address this, Secugo will creates a "test case."
보μ μνμ΄ μ¦λλ¨μ λ°λΌ, "μνμ΄ μ½λ©"μ μ€μμ±μ΄ μ€λκ° λμμ΅λλ€.
μ΄μ κΈ°μ λ° κ°λ°μλ€μ μ½λ 리뷰 λ° λͺ¨μν΄νΉμ ν΅ν΄ κ°λ° λ μμ€μ½λμ μ·¨μ½μ μ μ°Ύμμμ΅λλ€.
λ€λ§, μ΄λ λ§μ μκ°μ΄ μμλκΈ°μ νμ¬λ λ§μ κΈ°μ λ€μμ μλν λ λꡬλ₯Ό λμ νμ¬ λμμ λ°κ³ μμ΅λλ€.
μ ν¬ νμ΄ λ°λΌλ³΄λ λ¬Έμ λ, λͺ¨μν΄νΉ λ° μλν ν΄μμ μ¬μ©λμ΄μ§λ βν μ€νΈ μΌμ΄μ€βκ° μμμ μΌλ‘ κ°±μ λκ³ μλ€λ κ²μ λλ€.
μλν ν΄μ λ±μ₯μΌλ‘ μ§λ¨ μλλ μλ±ν μμΉνμμΌλ, μ΄μ μ§λ¨ κΈ°μ€μ΄ λλ βν μ€νΈ μΌμ΄μ€β λ λ¦μ μ λ°μ΄νΈλ‘ μΈν΄ 보μ μ¬κ±΄μ λ°μκ³Ό μμ€μ½λμμ λ°μ μ¬μ΄μ κ³΅λ°±μ΄ μκΈ°κ² λ©λλ€.
SecuGoλ μ΄λ₯Ό ν΄μνκΈ° μνμ¬ βν μ€νΈ μΌμ΄μ€β μμ± μ»¨ν μΈ λ₯Ό λ§λ€μ΄ λ³΄κ³ μ ν©λλ€.
- Mass data generation, as it is called IT consumption. Many of these cyber attacks are also on the rise.
- According to the IBM X-Force Tech report, 41% of new vulnerabilities occur in web applications. In addition, vulnerabilities such as known XSS and SQL injection continue to grow.
- ITμ μλΉν λΌκ³ λΆλ € μ§λ§νΌ, λλμ λ°μ΄ν°κ° λ°μ. κ·Έλ‘μΈν λ§μ μ¬μ΄λ² 곡격 λν μ¦κ°νλ μΆμΈμ λλ€.
- IBM X-Force ν ν¬ λ³΄κ³ μμ λ°λ₯΄λ©΄, μ κ· μ·¨μ½μμ μ€ 41%λ μΉ μ΄ν리μΌμ΄μ μμ λ°μνλ€κ³ ν©λλ€. λν, μ΄λ―Έ μλ €μ§ XSS λ° SQL Injectionκ³Ό κ°μ μ·¨μ½μ λ κ³μν΄μ μ¦κ°νλ μΆμΈμ λλ€.
- Some sort of Secure coding tool designed to help developers develop.
- Provide comments on areas where threats may exist for the developer's code.
- Provides a coding guide for real-time, secure coding from threats.
- κ°λ°μλ€μ κ°λ°μ μμνκ² λκ³ μ λ§λ€μ΄μ§ μΌμ’ μ Secure coding tool.
- κ°λ°μμ μ½λμ λν΄ μνμ΄ μ‘΄μ¬ν μ μλ λΆλΆλ€μ λν μ½λ©νΈλ₯Ό μ 곡ν©λλ€.
- μ½λ© κ°μ΄λλ₯Ό μ 곡ν΄μ€μΌλ‘μ μνμΌλ‘λΆν° μ€μκ°μΌλ‘ μμ ν μ½λ©μ ꡬνν μ μμ΅λλ€.
- Collect incident cases from security case sites such as CWE,ANS,OWASP
- Perform a custom NLU, transform the data into categorised security data.
- Subsequently, pattern matching is used to compare all source codes and the above cases shown in Github.
- When developers write the above code, they create a website and IDE plug-in that tells them the possibility of vulnerabilities.(The creation of IDE plug-ins is set as additional attainment targets during the project)
- CWE,SANS,OWASP μ κ°μ 보μμ¬κ±΄ μ¬λ‘ μ¬μ΄νΈμμ μ¬κ±΄ μΌμ΄μ€λ₯Ό μμ§(Crawling)
- μ λ°μ΄ν°λ₯Ό, 컀μ€ν λ NLUλ₯Ό μν, μΉ΄ν κ³ λ¦¬ν λ 보μ λ°μ΄ν°λ‘ λ³νν©λλ€.
- μ΄ν, ν¨ν΄ λ§€μΉ μμ μ ν΅ν΄ Githubμ 곡κ°λ λͺ¨λ μμ€μ½λμ μμ μΌμ΄μ€λ₯Ό λΉκ΅ λΆμν©λλ€.
- μμ μ μ¬ μ½λλ₯Ό κ°λ°μκ° μμ±μ, μ·¨μ½μ κ°λ₯μ±μ μλ €μ£Όλ μΉ μ¬μ΄νΈ λ° IDEνλ¬κ·ΈμΈμ μ μν©λλ€.(IDE νλ¬κ·ΈμΈ μ μμ νλ‘μ νΈ κΈ°κ° μ, μΆκ° λ¬μ± λͺ©νλ‘ μ€μ )
- Customized NLU: κΈ°μ‘΄ μμ°μ΄ λΆμμ NLUλ₯Ό security λΆμΌλ‘ customizeν©λλ€.
- Pattern Matching: μμ§(Crawling)λ ν
μ€νΈ μΌμ΄μ€μ κ°λ°μμ μ½λλ₯Ό λΉκ΅ μ μ¬μ©ν©λλ€.
- Crawling: 보μμ¬κ±΄ μΌμ΄μ€λ€μ μμ§ν©λλ€.
- Windows10 / Ubuntu-Bionic Beaver
- Pycharm, Visual Studio 14.0, Eclipse etc
- Python, JSP, Node.js etc
- MySQL 5.7
- Python 3.6.5
- Flask
- MySQL
- IBM Watson NLU API
Β© All rights reserved. Design: wonhee Jeong.
- λ³Έ νλ‘μ νΈλ νμ΄μ λ©ν λ§ νλ‘μ νΈλ‘ μ§νλμμ΅λλ€.