Very powerful tool for Source Code Analysis Risk Evaluation
SCARE - The Source Code Analysis Risk Evaluation
The Source Code Analysis Risk Evaluation (SCARE) project is a study to create a security and complexity metric that will analyze any source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like buffer overflows. However it will flag code for a particular interaction type or control and allow the developer to understand where Porosity is not protected even if it cannot say the effectiveness of that protection. The level of required effectiveness would require a much more sophisticated analysis tool and not within the scope of this project at this time.
The goal of this project is to apply the OSSTMM research findings for security metrics as the ravs. These metrics define “security” as the separation between an asset and a threat. Therefore, Operational Security are the “holes” in the wall of protection, Controls are the patches for those holes, and Limitations are the problems and failures within OpSec and the Controls.
This computation will provide a final SCARE value made of ravs where 100% is the proper balance between controls to Porosity with no Limitations. Conversely, less than that shows an imbalance where too few Controls protect the Porosity which increases the Attack Surface.
If you are interested in helping with this project please contact us.
Link:ISECOM - Making Sense of Security