A software security risk assessment method based on defect detection

Abstract

The invention discloses a software security risk assessment method based on defect detection. The software security risk assessment method comprises the following steps: I, constructing an assessment index system; II, performing security defect detection on software by adopting various defect detection tools; III, performing initial fusion of defect risk values according to a software security detection report, and computing software security risk values layer by layer; IV, performing quantitative assessment on software security risk on the basis of the D-S (Dempster-Shafer) evidence theory. Compared with the prior art, the software security risk assessment method disclosed by the invention increases the accuracy of an assessment result by adopting a method that detection results of various detection tools are fused. The software security risk assessment method has the expected beneficial effects that 1, analysis can be conveniently performed on the security of a CWE defect; 2, security risk assessment can be conveniently performed on the software.

Description

technical field [0001] The invention relates to the technical field of software design, in particular to a software safety risk assessment method. Background technique [0002] The so-called software security flaws refer to those deficiencies in the software system or system components that may cause it to fail to achieve the expected security goals in whole or in part. There are inevitably some security flaws in the software. Once these security flaws are exploited by attackers at a certain point, the software will be at risk. In severe cases, the attackers will completely take over software control, steal private data, and crash the software system. Dangerous consequences, which will cause great losses to individuals and even the country. Therefore, it is very necessary to evaluate the security risk level existing in the software system. By analyzing the existing or possible risks in the system and quantifying the risks into specific values, system managers can intuitive...

AI Technical Summary

Problems solved by technology

At the same time, differences between different detection tools can adversely affect the integration of detection results, and these adverse effects make it difficult to calculate the overall security risk of the software during the assessment process

On the one hand, it is reflected in the fact that the defect databases used by the detection tools are different, and the detection results are represented by different defect classifications, which makes it difficult to compare the defect detection results and affects the calculation of the risk value; on the other hand, different defect detection tools have different detection capabilities. There are both disjoint parts and overlapping parts in the test results, and the overlapping parts will lead to double counting of risks and affect the accuracy of risk assessment

[0004] Existing software security risk assessment methods based on defect detection cannot meet the requirements of accuracy and comprehensiveness of risk assessment

The basis for its existence is that the method of fusion of the results of multiple defect detection tools is not used for safety assessment, and in view of the fact that there are differences between different detection tools, the problem of inconsistency that may exist in the assessment process is dealt with

Images