White Paper: Security Risk Identification
12 Application Architecture Categories to Review

Static code analysis provides an excellent technique to quickly and easily identify potential security vulnerabilities and weaknesses in applications. However, as static code analysis tools have improved, organizations are becoming overwhelmed with lists of potential vulnerabilities, often without having the resources to address more than a fraction of them. In reality, a large proportion of these so-called vulnerabilities do not present a real security risk because of their nonstrategic location in the application architecture yet traditional static analysis for security vulnerabilities do not provide a way to identify the vulnerabilities that present a real security risk.

Therefore, many organizations are seeking automated methods to facilitate analyzing the architecture from a security standpoint. Utilization of automated methods would optimize the allocation of scarce resources who have been tasked with analyzing identified potential vulnerabilities, while having the greatest positive impact on security risk. McCabe IQ can expedite this process by decomposing the application into detailed, color-coded flow maps that simplify the task of evaluating the application’s architecture from a security risk standpoint, thereby reducing the time required to assess potential vulnerabilities by an order of magnitude or more when compared to working with raw code.

Click here to download.

White Paper: Uncovering Risk in Your ICD-10 Conversion
Key Risk & Effort Metrics for ICD Data Testing

If you are implementing ICD-10 support in your software applications, many things are important to your management of the process. Good development and test practices include: requirement and design reviews, configuration management, and completion of a thorough set of functional (requirements based) tests. However, to reduce risk, a critical and often forgotten area is code coverage, leading to the question…

Do you know whether you are testing all of your ICD data locations in the code?

Are you trusting someone’s best guess that each instance of ICD-related data in your source code, whether modified for new ICD-10 data formats or staying the same, is being tested? The good news is that you can know objectively and definitively, with the help of tools like McCabe IQ.

Click here to download.

White Paper: Improving Software Security by Identifying and Securing Paths Linking Attack Surfaces to Attack Targets

Software Security Analysis (SSA) typically includes the identification of attack surfaces, entry points into the system that a malicious user can exploit by providing malformed data to trigger deviant behavior; and of attack targets, areas of the system that can cause adverse critical impact if exploited. The task of the analyst is to review these entry points and critical impact areas, and assess their correctness and robustness. The challenge is that a complex piece of code typically has a large number of potential attack surfaces and attack targets, often far more than can be thoroughly analyzed in the time available.

Fortunately, not all of the potential attack targets need to be investigated in detail, rather only those that are connected to attack surfaces.

Click here to download.

Control Flow Security Analysis with McCabe IQ:
Applying a Path-based Method to Vulnerability Assessment of the Microsoft SDL Banned Function Calls

This application note discusses the example of performing vulnerability assessment in relation to the use of certain exploitable functions in the C standard library. As part of the recommendations for the implementation phase, the Microsoft SDL identifies a set of functions that, from real-world experience, have been linked to many security bugs because of buffer overruns and invalid pointer access. SDL practices suggest banning the use of these functions in favor of newer implementations that incorporate better bounds checking and are easier to secure.

Searching source code for banned function calls will readily identify the vulnerable points, but the exploitability of a given vulnerability is determined by whether it is reachable along an execution path from parts of the system accessible to an attacker. Exploitable vulnerabilities call for special attention to design remediation and adequate testing. This document describes activities that apply such practices using McCabe IQ.

Click here to download.

Complexity Analysis of Hostile Applets:
Using Path-Oriented Metric Analysis to Unravel Hostile Applet Algorithm Patterns, Signatures, Similarities, Authors, and Derivations

This paper uses known hostile Java applets as an example baseline that could be analyzed and profiled using path analysis to better understand the algorithms, identify their patterns, and use the analysis to identify signatures, similarities, authors, and derivations.

Click here to download.

Combining McCabe IQ with Fuzz Testing

Fuzz testing, or fuzzing, is a black-box testing technique that has recently leapt to prominence as a quick and cost effective method for uncovering security bugs. Fuzzing is able to cover the most exposed and critical attack surfaces in a system and identify common errors and potential vulnerabilities quickly and cost-effectively. Although fuzz testing tools can be remarkably effective, their ability to discover bugs on low probability program paths is inherently limited. Many current code coverage tools are inadequate and inefficient for vulnerability analysis. This paper details how leveraging static and dynamic path analysis will improve fuzz testing and software security.

Click here to download.

Cyclomatic Path Analysis and Security Vulnerabilities

Neither statement nor branch testing is adequate to detect security vulnerabilities and verify control flow integrity. Many exploits can hide in obscure paths and subtrees within a seemingly innocent appearing codebase.

This paper shows how Cyclomatic Path Analysis, on the other hand, detects more security vulnerabilities and errors in your critical applications.

Click here to download.

Path Insensitive Insecurity

This paper will show you how using software complexity metrics, measuring control flow integrity, and performing sneak path analysis help you make your applications more secure than previously thought possible.

Click here to download.

Measuring Software Complexity to Target Risky Modules in Autonomous Vehicle Systems

M. N. Clark, Bryan Salesky, Chris Urmson: Carnegie Mellon University
Dale Brenneman: McCabe Software Inc.
Corresponding Author: M.N.Clark (clarkmn@cmu.edu)

Tartan Racing developed 300 KLOC that represented over 14,000 modules and enabled our robot car "Boss" to win the DARPA Urban Challenge.

This paper describes how any complex software system can be analyzed in terms of its reliability, its degree of maintainability, and ease of integration using applied flow-graph theory. We discuss several code coverage measurements and why this is important in certifying critical software systems used in autonomous vehicles.

Our paper applies cyclomatic complexity analysis to the winning DARPA Urban Challenge vehicle's software. We show graphical primitives followed by views of modules using those constructs. In this way minimum testing paths are quickly computed and viewed. We argue for customizing evaluation thresholds to further filter the modules to a small subset of those most at risk. This "choosing our battles" approach works well when teams are immersed in a fast-paced development program.

Click here to download.

DO-178B and McCabe IQ

This document briefly describes DO-178B and how McCabe Software's McCabe IQ can be used to support the guidelines. It describes the focus of DO-178B, the Tool Qualification process in both general cases and as it relates to McCabe IQ, and the Certification Process.

This document also provides a summary of McCabe IQ functionality, including specific notes about how McCabe IQ can be used to support the guidelines. Several appendices compile relevant notes to provide more information to those who are interested in this process.

This document can assist readers with becoming more familiar with DO178B, and what may be involved in qualifying McCabe IQ for airborne systems projects.

Click here to download.

Baseline Code Analysis Using McCabe IQ

This document has been written to provide the answer to three basic questions:

• What is baseline code analysis and why is it important?
• What are the challenges of baseline code analysis?
• How can baseline code analysis with McCabe IQ be used to add value to Development and QA processes?

Click here to download.

Improved Testing Using McCabe IQ Coverage Analysis

This document has been written to...

• ..introduce coverage analysis as an increasingly important direction in the
  management of software testing
• ...describe how the unique coverage analysis techniques available in
  McCabe IQ can add value to your test processes. Specifically, this paper covers test assessment and improvement using McCabe IQ coverage analysis in the areas of functional testing, incremental testing, and unit level testing.

Click here to download.

McCabe Recommended Approach to Code Reviews

This paper was written to provide the answer to three basic questions:

• What is the function of code reviews in increasing productivity and code quality?
• What is the McCabe approach to code reviews?
• How can McCabe IQ be used to set up an automated code review process?

Click here to download.

Metrics & Thresholds in McCabe IQ

A list of all metrics collected in McCabe IQ, including a description and the standard threshold values used.

Click here to download.