Hi Steven, I'm (with Vadim Okun) currently doing some research and prototype development in that direction. We are actually counting the number of diffused inputs (diffuse in a sense of affectation to other variables, even with filter application, etc.) going through sinks.
We are working on PHP code only for now since we have to work pretty much from scratch (using yaxx in order to generate the AST), but we started to do evaluation of real code (wordpress, mediawiki, dotclear, joomla etc.). We also plan to try different combination of possible metrics, and see the correlation between them. But well, the main problem with such a metric is that's it's strongly related to how the programmer is working: - Is it better to have lots of different variables that are a variation of a single input? I thought not... - Is it better to have localized inputs in the source code? I think yes... - Shall we count the number of classes, the Object orientation of the code, the number of functions... also? These are some questions that we are currently working one. If you guys have some ideas about that or comments, I would really appreciate :) Romain http://rgaucher.info Steven M. Christey wrote: > Interesting that attack surface isn't included, given that Microsoft was > one of the earliest advocates of attack surface, a metric that is likely > strongly associated with the number of input-related vulnerabilities. > It's probably hard to do perfectly, though, especially if any third-party > APIs are involved. > > Are there any tools out there that try to measure attack surface? Has > anybody had any experience in trying to apply it? > > - Steve > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________