HOME ABOUT US NEWS TEAM PARTNERING TRAINING EVENTS MEDIA KIT CONTACT
  TEAM ACCESS
     Silver Access
     Gold Access
     Researcher Access
  ASSOCIATIONS 
     Affiliates
     Auditors
     Training Partners
  RESEARCH
     Business Integrity (BIT)
     Home Security (HSM)
     Networking Protocols (OPRP)
     Security Auditing (OSSTMM)
     Security Metrics (ravs)
     Child Security Awareness
     Teen Security Awareness
     Trusted Computing (AVIT)
     Security Models (SOMA)
     Code Analysis (SCARE)
     Security Tools
     Secure Programming
  CERTIFICATION 
     Security Analyst
     Security Expert
     Security Tester
     Wireless Security Expert
     Trust Analyst
     Security Awareness Instructor
     Certified People
     Companies & Products

 

SCARE - The Source Code Analysis Risk Evaluation
by Pete Herzog

The Source Code Analysis Risk Evaluation (SCARE) project is a study to create a security and complexity metric that will analyze any source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like buffer overflows. However it will flag code for a particular interaction type or control and allow the developer to understand where Porosity is not protected even if it cannot say the effectiveness of that protection. The level of required effectiveness would require a much more sophisticated analysis tool and not within the scope of this project at this time.

The goal of this project is to apply the OSSTMM research findings for security metrics as the ravs. These metrics define “security” as the separation between an asset and a threat. Therefore, Operational Security are the “holes” in the wall of protection, Controls are the patches for those holes, and Limitations are the problems and failures within OpSec and the Controls.

This computation will provide a final SCARE value made of ravs where 100% is the proper balance between controls to Porosity with no Limitations. Conversely, less than that shows an imbalance where too few Controls protect the Porosity which increases the Attack Surface.

If you are interested in helping with this project please contact us.

Download SCARE: 
                    
SCARE.0.5.zip

 

Join the ISECOM page on Facebook  Follow us on Twitter  

SUBSCRIBE TO ISECOM NEWS
 
VIEW ALL MAILING LISTS

Join the ISECOM PLATINUM, GOLD or SILVER TEAM


 

ISECOM is an open, collaborative, non-profit, scientific, security research organization registered in Catalunya, Spain.  All research here has been performed without commercial or partisan influence.  Contact us directly to be a security researcher on the ISECOM team.

Disclaimer:  While all documents on this site are available under Copyleft and the Open Methodology License, do check the licenses within each tool or document prior to copying, modifying, or distribution for any individually stated requirements.  Additionally, all research is provided here for information purposes only and ISECOM is not responsible for any misuse.


www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
www.opse.org - www.opst.org - www.opsa.org - www.owse.org
  If you have any comments, questions, or to note broken links on this website contact the Webmaster.