Check out SCARE – the Source Code Analysis Risk Evaluation tool – at http://www.isecom.org/scare. It analyzes code (currently only C) to determine a Risk Assessment Value, based on metrics also described at that site – primarily, "reliance on external variables which a user can manipulate as input".

The authors are looking for help in producing a Windows port.

Here’s the original bugtraq post – http://www.securityfocus.com/archive/1/484405/30/0/threaded.

No Comments »