About the Author

author photo

Joe Harris, CCIE No. 6200 (R&S, Security & SP) is a Systems Engineer with Cisco Systems® specializing in Security. In addition to authoring Cisco Network Security Little Black Book, Joe has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He also assists various Certification Partners by beta testing their newest CCIE certification workbooks and has been recognized by Cisco as an SE Wall of Fame award winner.

See All Posts by This Author

SCARE - The Source Code Analysis Risk Evaluation

December 1st, 2007 • RelatedFiled Under

The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like vulnerabilities. However it will flag code for a particular interaction type or control and allow the developer to understand which Operational Security (OpSec) holes are not protected even if it can’t say the effectiveness of that protection at this time.

The goal of this study is to apply the ISECOM research findings for security metrics represented as the Risk Assessment Values (RAVs) in OSSTMM 3.0. These metrics define “security” as the separation between an asset and a threat. Therefore, Operational Security are the “holes” in the wall of protection, Controls are the patches for those holes, and Limitations are the problems and failures within OpSec and the Controls.

This computation will provide a final SCARE value, like the RAV, where 100% is the proper balance between controls to OpSec holes and no Limitations. Conversely, less than that shows an imbalance where too few Controls protect OpSec holes or Limitations in OpSec and Controls degrade the security.

Currently, SCARE is designed to work for any programming language. While this methodology shows the C language, we need input and feedback from developers of other languages to expand this further.

If you are interested in helping with this project please contact us.

Download SCARE:

SCARE 0.3.pdf
SCARE Analyst Tool Source Code

Visit this projects homepage: SCARE

Comments are closed.