McCabe Software                                                                  
Call 800-638-6316 or Contact Us Here

latest news

Find Us on Facebook Follow McCabe Software on Twitter

Recommended Security Analysis Processes

Analyze the Attack Surface

Analyze the Effectiveness of Security Testing Using Path Coverage

Compare Complexity Metrics with Known Vulnerable Code

Video Library:

Control Flow Security Analysis Using Attack Maps

Path Coverage and Security Vulnerabilities

Document Library:

Improving Software Security by Identifying and Securing Paths Linking Attack Surfaces to Attack Targets

Control Flow Security Analysis with McCabe IQ - Applying a Path-based Method to Vulnerability Assessment of the Microsoft SDL Banned Function Calls

Combining McCabe IQ with Fuzz Testing - how leveraging static and dynamic path analysis will improve fuzz testing and software security.

Complexity Analysis of Hostile Applets - Forensics: Using Path-Oriented Metric Analysis to Unravel Hostile Applet Algorithm Patterns, Signatures, Similarities, Authors and Derivations

Cyclomatic Path Analysis and Security Vulnerabilities - Learn how Cyclomatic Path Analysis detects more security vulnerabilities and errors in your critical applications.

More Papers

Analyze the Effectiveness of Security Requirements Testing or Security Tool Testing Using Path Coverage

30 Day Free TrialUse McCabe IQ to determine whether all code of concern is being thoroughly tested by your security tests and security testing tools, using path-level code coverage analysis, the most stringent coverage analysis available.

Many types of security testing may be performed by your organization.  This might include:

  • functional and performance tests created from security requirements, or 
  • the use of tools such as sniffers, vulnerability scanners, fuzz testing tools, etc.

While those techniques are excellent, it is still possible that any of those techniques might have holes, due to their randomness or due to the complexity of your code.  That is, those tests might not test your code as thoroughly as you would like.

We recommend that, after you create and execute those tests and analyze results, you also execute those same tests on executables built from McCabe IQ's source code instrumentation.  Then perform code coverage analysis (focusing on code areas related to security) to determine whether the code that is indicated as NOT tested by those tests needs to be tested with additional security-related test cases.  Your security testing techniques may be very good, but still leave some untested code branch outcomes and code paths that could contain vulnerabilities. 

The code coverage level should be at least branch coverage; although basis path coverage or boolean/MCDC coverage (which are more thorough) are highly recommended for increased confidence of your security testing.  This analysis technique could be used in conjunction with attack surface control flow impacts analysis, to further focus on areas of most concern.

Related topic:

Contact Us:

  • To schedule a live demonstration or to speak with us about your software security requirements, Contact Us Here.

Call 800-638-6316 or click here to get more information or schedule a FREE Web demo.

Our Products Our Partners News and Events About Us Support Contact Us