 |
| |
 |
|
|
|
|
SCARE - The Source Code Analysis
Risk Evaluation
by Pete Herzog
The Source Code Analysis Risk Evaluation (SCARE) project is a study to create a
security and complexity metric that will analyze any source code and provide a
realistic and factual representation of the potential of that source code to
create a problematic binary. This metric will not say that the binary will be
exploited nor does it do a static analysis for known limitations like buffer
overflows. However it will flag code for a particular interaction type or
control and allow the developer to understand where Porosity is not protected
even if it cannot say the effectiveness of that protection. The level of
required effectiveness would require a much more sophisticated analysis tool and
not within the scope of this project at this time.
The goal of this project is to apply the OSSTMM research findings for security
metrics as the ravs. These metrics define “security” as the separation between
an asset and a threat. Therefore, Operational Security are the “holes” in the
wall of protection, Controls are the patches for those holes, and Limitations
are the problems and failures within OpSec and the Controls.
This computation will provide a final SCARE value made of ravs where 100% is the
proper balance between controls to Porosity with no Limitations. Conversely,
less than that shows an imbalance where too few Controls protect the Porosity
which increases the Attack Surface.
If you are interested in helping with this project please
contact us.
Download SCARE:
|
|
|
|
SCARE.0.5.zip |
 |
|

|
ISECOM is an open, collaborative,
non-profit, scientific, security research organization registered in Catalunya, Spain. All research here has been performed without
commercial or partisan influence. Contact
us directly to be a security researcher on the ISECOM team.
 |
|
Disclaimer:
While all documents on this site are available under
Copyleft and the
Open Methodology License,
do check the licenses within each tool or document prior to copying,
modifying, or distribution for any individually stated requirements.
Additionally, all research is provided here for information purposes
only and ISECOM is not responsible for any misuse. |
|
|
|