The Source Code Analysis Risk Evaluation (SCARE)

by Pete Herzog


We want to give source code a security grade. This grade should tell us how secure the program will be even before the code is compiled. This allows us to make modifications during development, track the effects of bug fixes or other code changes on the over-all security, and even graph trends. This will be your Source Code Analysis Risk Evaluation, also known as your SCARE value.

SCARE is based on the OSSTMM Attack Surface research that shows operational security is the avoidance or control of interactions. It is a study to create a security method to analyze any source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like overflows or logic errors. However it will flag code for a particular interaction type or control and allow the developer to understand where interactions with the binary are not protected. 

The method is to produce a SCARE value that allows for a single data point to represent the accumulation of all interactions. A high SCARE value is equivalent to that percentage of the binary's attack surface and therefore very insecure. Conversely, a low SCARE value is safer and therefore better.  

If you are interested in helping with this project please contact us.

     This includes the methodology and a sample tool to analyze source code in C.