SCARE - The Source Code Analysis Risk Evaluation just released
The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary.
The SCARE analysis tool is run against source code. Currently only C code
is supported. The ouput file will contain all operational interactions
possible which need controls (the current version does not yet say if and
what controls are already there). At the bottom of the list are three
numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged
into the RAV Calculation spreadsheet available at isecom.org/ravs. The
Delta value is then subtracted from 100 to give the SCARE percentage which
indicates the complexity for securing this particular application. The
lower the value, the worse the SCARE.
At this stage, the tool cannot yet tell which interactions have controls
already or if those controls are applicable however once that is available
it will change the RAV but not the SCARE. The SCARE will also not yet tell
you where the bugs are in the code however if you are bug hunting, it will
extract all the places where user inputs and trusts with user-accessible
resources can be found in the code.
Post scriptum
Compliance Mandates
|
Related Articles
| Code Auditing |
|
| Scare |
|
