KISIA 사전설문 

'보안 > 시큐어코딩' 카테고리의 다른 글

Kali(칼리)리눅스에 WebGoat 8 설치하기  (0) 2018.12.06
Canonicalization(정규화)  (0) 2018.11.20
KISIA 시큐어코딩 사전설문 링크  (0) 2018.03.14
금융보안원 설문지 링크  (0) 2018.03.06
BSIMM은 무엇?  (0) 2018.03.05
[Angular JS] 앵귤라JS 시큐어코딩  (0) 2018.01.03
블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

설문지 링크:

https://goo.gl/forms/m6MY7QFPgPRFQC4u2

블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

BSIMM은 무엇?



소프트웨어 보안의 측도 BSIMM(Building Security In Maturity Model)



소프트웨어가 안전한가? 안전하다면 얼마나 안전한 걸까? 에대해 많은 이들은 수치화 하여 보여 주기를 원한다. 이 요구사항을 충족시켜주는 보안 활동중의 하나가 BSIMM(비심이라고 읽으면 됨) 이라고 볼수 있다.  BSIMM은 단순 관찰과 보고 기능만 수행하는 소프트웨어 보안의 측도라고 할 수 있다.


BSIMM은 수년에 걸친 78개 기업(금융서비스-33, 독립소프트웨어 공급업체-27, 가전제품-13, 의료-10 일부중첩된 경우도 있음)들로 부터 얻은 데이터를 분석한 실제 소프트웨어 보안 계획에 대한 연구결과이며, 서로 다른 기관들의 실천과제를 수량화하여 다수의 기관들에서 나타나는 일반적인 근거와 각각의 기관들의 고유한 계획을 측정한 것이다.  


즉 BSIMM은 소프트웨어 보안의 "현재상황"을 수치화해서 보여주는 것이다.



2008년 첫번째 버전부터 시작해서 현재 6번째 버전인 BSIMM6을 적용하고 있다. 어떤 기술이든 용어에 대한 정의가 중요하다. 이 문서가 무엇을 말하고 있는지 어떻게 이해해야 하는지에 대한 정의이기 때문이다.



BSIMM 에서 사용하는 용어


SSG(소프트웨어 보안 그룹): 소프트웨어 보안을 실행하고 원활하게 진행되도록 전담하는 인력들이다. 아마도 보안 계획의 첫번째 단계는 우수한 SSG를 구성하는 것이다.



SSF(소프트웨어 보안 프레임워크): 소프트웨어 보안활동의 기본 틀이다. BSIMM은  4개도메인에 12개의 실천과제로 구성된 프레임워크를 사용한다.


SSDL(시큐어 소프트웨어 개발 생명주기): 통합 소프트웨어 보안 체크 포인트 및 활동이 포함된 모든 소프트웨어 개발 생명주기를 의미한다.


SDL(시큐어 개발 생명주기): 마이크로소프트에서 자사의 소프트웨어를 안전하게 개발하기 위해 적용한 개발방법론이다.


활동 : 실천과제의 일환으로 SSG에서 수행하거나 진행시키는 활동


실천과제 : BSIMM의 SSF는 4개의 도메인으로 구성되고,  

              각 도메인은 3가지의 실천과제로 구성되어 있다.


도메인 : 관리, 정보, SSDL 접점 및 전개로 나뉜다.





BSIMM6의 구조


4도메인, 12개의 실천과제로 구성 되어 있다.




Goverance : 소프트웨어 보안 계획의 구성 및 관리, 측정  관련 활동.

                 인력개발도 주요 실천과제중의 하나이다.


Intelligence : 조직전반에서 소프트웨어 보안 활동을 수행하는데 사용된 기업정보 수집관련 활동 

                 선제적 보안지침과 조직 위협모델링이 포함된다. 


SSDL Touchpoints : 특정소프트웨어 개발 산출물 및 프로세스의 분석, 보증 관련된 활동 

                 모든 소프트웨어 보안 방법에는 이 실천과제들이 포함 된다.


Deployment : 네트워크 보안 및 소프트웨어 유지보수 조직과 소통 관련 활동

                 소프트웨어 보안에 직접적인 영향을 미치는 소프트웨어 구성 및 유지보수, 기타 환경문제가 포함 된다.




BSIMM7.PDF(영문) 다운로드 :   BSIMM7.pdf


BSIMM6.PDF(한글) 다운로드 :   eNsecure_BSIMM6_kor.pdf


블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

[원문] https://medium.com/blockchain-blog/17-blockchain-platforms-a-brief-introduction-e07273185a0b  의 일부를 번역하였으며, 원문을 클릭하여 더 많은 정보를 확인하는것을 권장합니다.


17개의 많이 사용되는 블록체인 플랫폼


Blockchain 기술은 2008 년 Satoshi Nakamoto의 " Bitcoin : Peer-to-Peer Electronic Cash System " 이라는 제목의 논문을 통해 발표 되었지만 이 문서에서는 특별히 블록체인이라는 단어를 사용하지는 않았다. 이 논문에서는 "해시기반의 작업증명을 지속적인 사슬로 해싱하여 크랜잭션을 타임스탬프로 처리하며, 작업증명을 다시 하지 않으면 변경될수 없는 레코드를 형성한다고 설명하고 있다. 


분산 원장은 정의 된 합의 메커니즘을 사용하여 순서가 지정된 일련의 타임 스탬프가 기록 된 레코드를 수정하지 못하도록하는 피어 투 피어 네트워크로 정의한다.  


다음은 알파벳 순서로 많이 사용되는 블록체인 / 분산원장시스템이다.


1. BigChainDB:   분산 데이터베이스 빅데이터로 시작하여 블록체인 특성을 추가한 오픈소스 시스템. .


2. Chain Core: 허가 된 블록 체인 인프라에서 금융 자산을 발행하고 전송하는 블록 체인 플랫폼.


3. Corda : 플러그 가능한 컨센서스가있는 분산 원장 플랫폼.


4. Credits:  권한이 부여 된 분산 원장 구축을 위한 개발프레임워크.


5. Domus Tower Blockchain: 초당 백만건이상의 트랜잭션처리 처리 환경을 위해 설계된 플랫폼.


6. Elements Blockchain Platform : Bitcoin 기능 확장을 위한 오픈 소스 프로토콜 레벨 기술.


7. Eris : Bitcoin기능 확장을 위한  오픈소스 프로토콜 레벨 기술.


8. Ethereum:  맞춤형 블록체인에서 스마트 계약을 실행하는 분산 플랫폼.


9. HydraChain: 사설 및 컨소시엄 체인에서 Permissioned Distributed Redgers 를 만들기위한 Ethereum 확장.


10. Hyperledger Fabric : 서로 다른 구성원 노드 집합간에 서로 다른 자산, 계약 및 트랜잭션을 관리하는 시스템.


11. Hyperledger Iroha:  모바일 응용 프로그램 개발에 중점을 둔 "단순하고 모듈화 된"분산 원장 시스템.


12. Hyperledger Sawtooth Lake : 거래 비즈니스 로직이 합의계층과 분리된 모듈식 블록체인 제품군.


13. Multichain: 다중 자산 금융 거래를 위한 비트코인 블록체인을 기반으로하는 오픈 소스 블록 체인 플랫폼.


14. Openchain: 디지털 자산 발행 및 관리를 위한 오픈소스 분산원장 시스템.


15. Quorum: Ethereum을 기반의 오픈소스 분산원장 및 스마트 계약 플랫폼.


16. Stellar: Stellar네트워크 백본인 Stellar Core에 연결되는 RESTful HTTP API 서버를 제공하는 오픈소스 분산형 지불 인프라.


17. Symbiont Assembly: 아파치 카프카 (Apache Kafka)에서 영감을 얻은 분산원장



======================================================

[원문] https://medium.com/blockchain-blog/17-blockchain-platforms-a-brief-introduction-e07273185a0b


17 blockchain platforms — a brief introduction


Blockchain technology was announced through the paper titled “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto in 2008. Interestingly, this paper does not specifically use the word “blockchain”.


This paper talks about a “purely peer-to-peer version of electronic cash” where “the network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of- work”.


The open source PT-BSC (Blockchain Security Controls) defines a blockchain as a peer-to-peer network which timestamps records by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. A blockchain can be permissioned, permission-less or hybrid.


On the other hand, a distributed ledger is defined as a peer-to-peer network, which uses a defined consensus mechanism to prevent modification of an ordered series of time-stamped records. Consensus mechanisms include Proof of stake, Federated Byzantine Agreement etc.


The more popular blockchain / distributed ledger systems in alphabetical order are:


1. BigChainDB, an open source system that “starts with a big data distributed database and then adds blockchain characteristics — decentralized control, immutability and the transfer of digital assets”.


2. Chain Core, a blockchain platform for issuing and transferring financial assets on a permissioned blockchain infrastructure.


3. Corda, a distributed ledger platform with pluggable consensus.


4. Credits, a development framework for building permissioned distributed ledgers.


5. Domus Tower Blockchain, designed for regulated environments, benchmarked at ingesting over 1 million transactions per second.


6. Elements Blockchain Platform, an open source, protocol-level technology for extending the functionality of Bitcoin.


7. Eris:db, an open source, protocol-level technology for extending the functionality of Bitcoin.


8. Ethereum, a decentralized platform that runs smart contracts on a custom built blockchain.


9. HydraChain, an Ethereum extension for creating Permissioned Distributed Ledgers for private and consortium chains.


10. Hyperledger Fabric, which supports the use of one or more networks, each managing different Assets, Agreements and Transactions between different sets of Member nodes.


11. Hyperledger Iroha, a “simple and modularized” distributed ledger system with emphasis on mobile application development.


12. Hyperledger Sawtooth Lake, a modular blockchain suite in which transaction business logic is decoupled from the consensus layer.


13. Multichain, an open-source blockchain platform, based on bitcoin’s blockchain, for multi-asset financial transactions.


14. Openchain, an open source distributed ledger system for issuing and managing digital assets.


15. Quorum, an open source distributed ledger and smart contract platform based on Ethereum.


16. Stellar, an open-source, distributed payments infrastructure that provides RESTful HTTP API servers which connect to Stellar Core, the backbone of the Stellar network.


17. Symbiont Assembly, a distributed ledger inspired by Apache Kafka.

Note: In this article, the terms blockchain and distributed ledger systems are used inter-changeably.



1. BigchainDB


BigchainDB is an open source system that “starts with a big data distributed database and then adds blockchain characteristics — decentralized control, immutability and the transfer of digital assets”.


BigchainDB seeks to attain performance of 1 million writes per second throughput, storing petabytes of data, and sub-second latency.


BigchainDB key features include:

1. Each write is recorded on the blockchain database without the need for Merkle Trees or sidechains.

2. Support for custom assets, transactions, permissions and transparency.

3. Federation Consensus Model (federation of voting nodes).

4. Supports public and private networks.

5. Has no native currency — any asset, token or currency can be issued.

6. Set permissions at transaction level.

7. It is open source.


Consensus mechanism: Federation of nodes with voting permissions


Useful links:

BigchainDB official website: https://www.bigchaindb.com/

BigchainDB whitepaper: https://www.bigchaindb.com/whitepaper/bigchaindb-whitepaper.pdf

BigchainDB roadmap: https://github.com/bigchaindb/org/blob/master/ROADMAP.md



2. Chain Core


Chain Core is a blockchain platform for issuing and transferring financial assets on a permissioned blockchain infrastructure. Chain Core runs on the open-source Chain Protocol.


Chain Core Developer Edition is free while the Chain Core Enterprise Edition is a commercial product.


The creation, control and transfer of assets are decentralised among participants on Chain blockchain networks. The operation of the network is governed by a federation — a designated set of entities. The assets on Chain blockchain networks include currencies, securities, derivatives, gift cards, and loyalty points.


Chain core key features include:


1. Native digital assets — currencies, securities etc.

2. Role-based permissions for operating, accessing, and participating in a network.

3. Support for multi-signature accounts.

4. Federated consensus.

5. Support for smart contracts.

6. Transaction privacy.


Consensus mechanism: Federated consensus

Useful links:

Chain Core official website: https://chain.com

Chain Core whitepaper: https://chain.com/docs/protocol/papers/whitepaper



3. Corda


Corda is an open-source distributed ledger platform with pluggable consensus — “it supports multiple consensus providers employing different algorithms on the same network”.


Corda is probably the only distributed ledger platform with pluggable consensus.


Corda’s key features include:


1. No global broadcasting of data across the network.

2. Pluggable consensus.

3. Querying with SQL, join to external databases, bulk imports.


Consensus mechanism: Pluggable consensus

Useful links:

Corda official website: https://www.corda.net

Corda whitepaper: https://docs.corda.net/_static/corda-technical-whitepaper.pdf



4. Credits


Credits is a development framework for building permissioned distributed ledgers.

Consensus mechanism: Credits uses a variant of Proof of Stake (a leaderless two-phase commit algorithm with variable voting power).


Useful links:

Credits official website: https://credits.works/

Credits documentation: https://credits.readthedocs.io/en/latest/



5. Domus Tower Blockchain


Domus Tower Blockchain is an interesting solution that has been designed for regulated environments such as securities trading where participants know each other and can independently decide whom to trust.


According to its whitepaper, Domus Tower Blockchain has been “benchmarked at ingesting over 1 million transactions per second on hardware costing less than $50 per hour on Amazon’s Web Services with the potential to scale to greater than 10 million transactions per second”.


Data storage is contained in a Merkle directional acyclic graph (MerkleDAG) and nodes on this graph are referred to as “blocks”. The data transmitted to the blockchain is digitally signed and verified before it is written to a block.

Domus Tower Blockchain’s key features include:


1. Creation of linked blockchains where the assets of an account on one blockchain must match the liabilities on the account of another blockchain.

2. Capability of recording a high rate of transactions in a scalable manner.

3. Recording of double-entry balance sheet that tracks credits and debits.


Consensus mechanism: Any agent that has write access to a blockchain has 100% authority to write transactions to that chain. Authority is centralized under this model.


Useful links:

Domus Tower Blockchain official website http://domustower.com/

Domus Tower Blockchain whitepaper http://domustower.com/domus-tower-blockchain-latest.pdf



6. Elements Blockchain Platform


Elements is an open source, protocol-level technology for extending the functionality of Bitcoin.


Elements’ key features include:


1. Confidential Assets — issue multiple assets who’s identifiers and amounts are blinded yet auditable.

2. Confidential Transactions — keep the amounts transferred visible only to participants in the transaction and to designated entities.

3. Additional opcodes — these include previously disabled opcodes (including string concatenation and substrings, integer shifts, and several bitwise operations), new DETERMINISTICRANDOM operation (which produces a random number within a range from a seed) and new CHECKSIGFROMSTACK operation (which verifies a signature against a message on the stack, rather than the spending transaction itself).

4. Deterministic Pegs — which allow cross-chain transactions to be constructed in a decentralized fashion and tokens to be moved from one blockchain to another.

5. Signed Blocks — this allows blocks can be cryptographically signed, thereby allowing the creator of the block to verify their identity in the future.

6. Segregated Witness. Bitcoin transactions contain two things i.e. information about the effect on the ledger and data proving that the transaction is authorized. Using witness segregation, transaction IDs are redefined to only depend on the effect information and blocks commit separately to the witness data. This eliminates all known forms of transaction malleability.

7. Relative Lock Time which allows a transaction to be time-locked.


Useful links:

Elements official website: https://elementsproject.org/

Github page: https://github.com/ElementsProject/elements



7. Eris:db


Eris-db is a permissioned distributed ledger client that executes Ethereum smart contracts on a permissioned virtual machine.


Eris’ key features include:


1. Multiple interfaces

2. Ethereum Virtual Machine

3. Permissioned systems


Consensus mechanism: Byzantine fault-tolerant Tendermint consensus engine, which is a deposit based proof of stake protocol.


Useful links:

Eris’ official website: https://monax.io/platform/db/



8. Ethereum


Ethereum is a decentralized platform that runs smart contracts on a custom built blockchain.


Ethereum’s key features include:


1. Ethereum Wallet — which facilitates holding crypto-assets as well as writing, deploying and using smart contracts.

2. Creation of crypto-currencies

3. Creation of democratic autonomous organizations (DAOs)

4. Command line tools built in Go, C++, Python, Java etc.


Consensus mechanism: Ethash, a proof of work algorithm


Useful links:

Ethereum’s official website: https://ethereum.org/

Ethereum whitepaper: https://github.com/ethereum/wiki/wiki/White-Paper



9. Hydrachain


HydraChain is an Ethereum extension for creating Permissioned Distributed Ledgers for private and consortium chains.


HydraChain’s key features include:


1. Full Compatibility with the Ethereum Protocol

2. Accountable Validators

3. Instant finality of blocks and no forks or reverts.

4. Support for sub-second block times.

5. New blocks are only created in the presence of pending transactions.

6. Infrastructure for developing smart contracts in Python.

7. Customizability of transaction fees, gas limits, genesis allocation, block time etc.

8. Open Source


Consensus mechanism: Byzantine fault tolerant consensus protocol


Useful links:

HydraChain official site: https://github.com/HydraChain/hydrachain



10. Hyperledger Fabric


Hyperledger Fabric supports the use of one or more networks, each managing different Assets, Agreements and Transactions between different sets of Member nodes.


Hyperledger Fabric’s key features include:


1. Query and update ledger using key-based lookups, range queries, and composite key queries.

2. Read-only history queries.

3. Transactions contain signatures of every endorsing peer and are submitted to ordering service

4. Peers validate transactions against endorsement policies and enforce the policies

5. A channel’s ledger contains a configuration block defining policies, access control lists, and other pertinent information

6. Channel’s allow crypto materials to be derived from different certificate authorities


Consensus mechanism: Consensus is ultimately achieved when the order and results of a block’s transactions have met the explicit policy criteria checks.


Useful links:

Hyperledger Fabric’s githib page: https://github.com/hyperledger/fabric




11. Hyperledger Iroha


Hyperledger Iroha is a “simple and modularized” distributed ledger system with emphasis on mobile application development.


Consensus mechanism: Sumeragi, a Byzantine Fault Tolerant consensus algorithm heavily inspired by the B-Chain algorithm.


Useful links:

Hyperledger Iroha’s github page: https://github.com/hyperledger/iroha




12. Hyperledger Sawtooth Lake


Hyperledger Sawtooth Lake is a modular blockchain suite that supports both permissioned and permissionless deployments. Transaction business logic in Hyperledger Sawtooth Lake is decoupled from the consensus layer.


Consensus mechanism: Proof of Elapsed Time


Useful links:

Hyperledger Sawtooth’s official website: https://01.org/sawtooth/

Hyperledger Sawtooth’s github page: https://github.com/hyperledger/sawtooth-core

Hyperledger Sawtooth’s demo on “Bringing traceability and accountability to the supply chain”: https://01.org/sawtooth/seafood.html

Hyperledger Sawtooth’s demo on “Enabling secure and efficient bond settlement”: https://01.org/sawtooth/bond.html



13. Multichain


Multichain is an open-source blockchain platform, based on bitcoin’s blockchain, for multi-asset financial transactions.


Multichain’s key features include:


1. Native multi-currency support.

2. Atomic two- or multi-way exchanges of assets between participants.

3. Permission management.

4. Rapid deployment.

5. Multiple networks can simultaneously be on a single server.

6. Per-network custom parameter (permitted transaction types, confirmation times, minimum quantities, transaction rate and size limits).

7. Data streams.


Consensus mechanism: Distributed consensus between identified block validators. This is similar to Practical Byzantine Fault Tolerance) with one validator per block, working in a round-robin type of fashion.


Useful links:


Multichain official site: http://www.multichain.com/developers/

Multichain whitepaper: http://www.multichain.com/white-paper/

YobiChain, an open source project for creating a private blockchain 


ecosystem preloaded with MultiChain and related tools: https://github.com/Primechain/yobichain



14. Openchain


Openchain is an open source distributed ledger system for issuing and managing digital assets.


Openchain’s key features include:


1. Tokens on Openchain can be pegged to Bitcoin, making it a sidechain.

2. Smart contract modules.

3. Unified API

4. Assign aliases to users instead of using base-58 addresses.

5. Multiple levels of control.

6. Hierarchical account system allowing to set permissions at any level.

7. Ability to have multiple Openchain instances replicating from each other.


Consensus mechanism: Partionned Consensus


Useful links:

Openchain’s official website: https://www.openchain.org/

Openchain on github: https://github.com/openchain



15. Quorum


Quorum us an open source distributed ledger and smart contract platform based on Ethereum.


Quorum’s key features include:


1. Cakeshop — provides an easy to use graphic interface for working with Quorum networks, smart contracts, and APIs

2. Ideal for applications requiring high speed and high throughput processing of private transactions


Consensus mechanism: Consensus model based on majority voting. Raft-based consensus model for faster blocktimes, transaction finality, and on-demand block creation.


Useful links:

Quorum’s official website: https://www.jpmorgan.com/country/US/EN/Quorum

Quorum on github: https://github.com/jpmorganchase/quorum



16. Stellar


Stellar is an open-source, distributed payments infrastructure that connects banks, payments systems, and people. Stellar enables building of mobile wallets, banking tools, smart devices. It provides RESTful HTTP API servers called Horizon, which connect to Stellar Core, the backbone of the Stellar network.


Consensus mechanism: Stellar Consensus Protocol


Useful links:

Stellar official website: https://www.stellar.org

Stellar Consensus Protocol: https://www.stellar.org/papers/stellar-consensus-protocol.pdf



17. Symbiont Assembly


Symbiont Assembly, inspired by Apache Kafka, is the distributed ledger that powers the Symbiont Smart Securities platform.


Symbiont Assembly’s key features include:

1. Capability to handle thousands of transactions per second.

2. Assembly API — ReSTful, standard JSON over HTTP.


Consensus mechanism: Byzantine Fault-Tolerance


Useful links:

Symbiont Assembly’s official website: 


https://symbiont.io/technology/introducing-symbiont-assembly/


References and Sources:

https://bitcoin.org/bitcoin.pdf

https://github.com/primechain/blockchain-security-controls

https://www.bigchaindb.com/

https://www.bigchaindb.com/whitepaper/bigchaindb-whitepaper.pdf

https://chain.com/faq/

https://www.corda.net/

https://credits.works/

https://www.elementsproject.org/elements/

https://monax.io/docs/documentation

https://ethereum.org/

https://github.com/HydraChain/hydrachain

http://hyperledger-fabric.readthedocs.io/en/latest/


This was originally published on: https://www.linkedin.com/pulse/16-blockchain-platforms-brief-introduction-rohas-nagpal


블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

티스토리 툴바