HOME ABOUT US NEWS TEAM PARTNERING TRAINING EVENTS MEDIA KIT CONTACT
  TEAM ACCESS
     Silver Access
     Gold Access
     Researcher Access
  ASSOCIATIONS 
     Affiliates
     Auditors
     Training Partners
  RESEARCH
     Business Integrity
     Child Security and Safety 
     Home Security 
     Networking Protocols
     Security Auditing
     Security Metrics
     Teen Security Awareness
     Trusted Computing
     Security Models
     Security Tools
     Secure Programming
  CERTIFICATION 
     Security Analyst
     Security Expert
     Security Tester
     Wireless Security Analyst
     Security Awareness Instructor
     Companies & Products
  VERIFICATION
     Certified People
     Certified Companies
     Certified Products

 

SCARE - The Source Code Analysis Risk Evaluation
by Pete Herzog

The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like vulnerabilities. However it will flag code for a particular interaction type or control and allow the developer to understand which Operational Security (OpSec) holes are not protected even if it can't say the effectiveness of that protection at this time.

The goal of this study is to apply the ISECOM research findings for security metrics represented as the Risk Assessment Values (RAVs) in OSSTMM 3.0. These metrics define “security” as the separation between an asset and a threat. Therefore, Operational Security are the “holes” in the wall of protection, Controls are the patches for those holes, and Limitations are the problems and failures within OpSec and the Controls.

This computation will provide a final SCARE value, like the RAV, where 100% is the proper balance between controls to OpSec holes and no Limitations. Conversely, less than that shows an imbalance where too few Controls protect OpSec holes or Limitations in OpSec and Controls degrade the security.

Currently, SCARE is designed to work for any programming language. While this methodology shows the C language, we need input and feedback from developers of other languages to expand this further.

If you are interested in helping with this project please contact us.

Download SCARE: 
                     Spain Mirror sponsored by USA Mirror sponsored by
 
SCARE.0.3.pdf
SCARE Analyst Tool Source Code

 

SUBSCRIBE TO ISECOM NEWS
 
VIEW ALL MAILING LISTS

Join the ISECOM GOLD or SILVER TEAM

 
 

 

ISECOM is an open, collaborative, non-profit, scientific, security research organization registered in Catalunya, Spain.  All research here has been performed without commercial or partisan influence.  Contact us directly to be a security researcher on the ISECOM team.

Disclaimer:  While all documents on this site are available under Copyleft and the Open Methodology License, do check the licenses within each tool or document prior to copying, modifying, or distribution for any individually stated requirements.  Additionally, all research is provided here for information purposes only and ISECOM is not responsible for any misuse.


www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
www.opse.org - www.opst.org - www.opsa.org - www.owse.org
  If you have any comments, questions, or to note broken links on this website contact the Webmaster.