Hi Steven,
I'm (with Vadim Okun) currently doing some research and prototype
development in that direction. We are actually counting the number of
diffused inputs (diffuse in a sense of affectation to other variables,
even with filter application, etc.) going through sinks.
We are working on PH
> That said, we should keep trying! I believe one answer is to take advantage
> of relative metrics over time.
>
I agree that this can be a practical starting point for organizations. I had
a client starting down the path with static analysis, they have thousands of
developers and many applicati
believe one answer is to take advantage of
relative metrics over time.
gem
company www.cigital.com
--Original Message--
From: Steven M. Christey
To: Gary McGraw
Cc: Steven M. Christey
Cc: Secure Coding Mailing List
Sent: Oct 8, 2007 4:07 PM
Subject: RE: [SC-L] Microsoft Pushes Secure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Steve,
> Are there any tools out there that try to measure attack surface? Has
> anybody had any experience in trying to apply it?
SecurityInnovation's HoloDeck has an attack surface module, but
unfortunately it is just a fancy wrapper for a Win
On Mon, 8 Oct 2007, Gary McGraw wrote:
> Not surprising. Last time I looked, attack surface is subjective.
> McCabe is not. BTW, McCabe's Cyclomatic complexity boils down to 85%
> lines of code and 15% data flow if you do a principal component analysis
> on it.
Hopefully the SEI people are mon
To: Secure Coding
Subject: Re: [SC-L] Microsoft Pushes Secure, Quality Code
Interesting that attack surface isn't included, given that Microsoft was one of
the earliest advocates of attack surface, a metric that is likely strongly
associated with the number of input-related vulnerabilities
Interesting that attack surface isn't included, given that Microsoft was
one of the earliest advocates of attack surface, a metric that is likely
strongly associated with the number of input-related vulnerabilities.
It's probably hard to do perfectly, though, especially if any third-party
APIs are