The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like vulnerabilities. However it will flag code for a particular interaction type or control and allow the developer to understand which Operational Security (OpSec) holes are not protected even if it can’t say the effectiveness of that protection at this time.
This computation will provide a final SCARE value, like the RAV, where 100% is the proper balance between controls to OpSec holes and no Limitations. Conversely, less than that shows an imbalance where too few Controls protect OpSec holes or Limitations in OpSec and Controls degrade the security.
The SCARE analysis tool is run against source code. Currently only C code is supported. The output file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at http://www.isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE.
At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code.
Currently, SCARE is designed to work for any programming language. While this methodology shows the C language, they need input and feedback from developers of other languages to expand this further.
If you are interested in helping with this project please contact ISECOM.
You can download SCARE here:
Or you can read more here.
- WAF-FLE – Graphical ModSecurity Console Dashboard
- LOKI – Indicators Of Compromise Scanner
- Integrit – File Verification System
- Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) 3rd Party GUI
- Security Compass Web Application Analysis Tool – SWAAT
- SpikeSource Spike PHP Security Audit Tool
Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,811 views
- Password Hasher Firefox Extension - 117,560 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,653 views