|  |
Open Source Software and Source Code Analysis: A natural match
Comments | Author | Date |  | |  | Open Source Software and Source Code Ana... | | | |
| Technical article | 10.10.07 | | Thomas McCabe Jr. | 08.02.08 |
Open Source Software and Source Code Analysis: ... | | |  | Comment | | | Sleepless nights: Six years ago this week, I first came to understand the words “graduate student.” Over the span of five days, I spent a total of two hours sleeping - the rest of my time was hacking, eating, injecting caffeine into my bloodstream ...
Click here to read the full text of this contribution | |
|
Re: Open Source Software and Source Code Analys... | | | | Replies | | | | Author: | | Thomas McCabe Jr. (208.29.51.---) | | | Date: | | 08.02.08 | |
Tools that search for known exploits are analogous to debuggers in my opinion and are employed using a reactive model rather than a proactive one. The reason why cyclomatic complexity and subtree analysis is so important relates to the fact that many expoits deal with interactions: interactions between code statements, interactions between data and control flow, interactions between modules, interactions between your codebase and library routines, and interactions between your code and attack surface modules. Being cognizant of paths and subtrees within code is crucial for determining sneak paths, impact analysis, and testing to verify control flow integrity.
Furthermore, most security experts will tell you that software complexity gets in the way of analysis and incorporating McCabe Metrics such as cyclomatic complexity into your vision will aid in the quantification and understanding of the complexity characteristics of your codebase.
Security Analysis without a control and data flow diagram of logic and design is like doing security analysis of a house without schematics, such as a flooring plan or circuitry diagram.
Only scanning for known exploits without verifying control flow integrity is comparable to that same security expert explaining the obvious, such as windows are open and doors are unlocked, and being completely oblivious to the fact that there is a trap door in your basement.
Those insecure doors and windows are only the low hanging fruit.
http://www.mccabe.com/news_pr020708.htm |
|
Your comment concerning this subject
| | | |
