New tool and project release: SCARE

From: Pete Herzog (lists@isecom.org)
Date: Fri Nov 30 2007 - 10:30:16 EST

• Next message: Gleb Paharenko: "Business model for penetration testing and vulnerability finding"
• Previous message: Gleb Paharenko: "Re: Http splitting working example"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Scare, the Source Code Analysis Risk Evaluation tool for measuring security
complexity in C source code is now available. The tool is written to
support the OpenTC project (opentc.net) as the SCARE methodology project
available at:

http://www.isecom.org/scare

USE
The SCARE analysis tool is run against source code. Currently only C code
is supported. The ouput file will contain all operational interactions
possible which need controls (the current version does not yet say if and
what controls are already there). At the bottom of the list are three
numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged
into the RAV Calculation spreadsheet available at isecom.org/ravs. The
Delta value is then subtracted from 100 to give the SCARE percentage which
indicates the complexity for securing this particular application. The
lower the value, the worse the SCARE.

At this stage, the tool cannot yet tell which interactions have controls
already or if those controls are applicable however once that is available
it will change the RAV but not the SCARE. The SCARE will also not yet tell
you where the bugs are in the code however if you are bug hunting, it will
extract all the places where user inputs and trusts with user-accessible
resources can be found in the code.

Also--

We need help! We are looking for people to help us complete the SCARE
methodology, add new programming languages to the tool, as well as even
making a windows binary version for those who do not code in Linux. Contact
me if you can do this.

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Gleb Paharenko: "Business model for penetration testing and vulnerability finding"
• Previous message: Gleb Paharenko: "Re: Http splitting working example"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT