McCabe brought his 20+ years of experience to the fore while pointing out that the keys to eliminating software vulnerability lie in the use of software complexity metrics, measuring control flow integrity and conducting sneak path analysis.

"There are no silver bullets when it comes to security metrics. Many of the issues surrounding security analysis are intertwined with fundamental software engineering principles," says McCabe. "Metrics such as the Relative Attack Surface Quotient (RASQ) from Microsoft, should be used in conjunction with traditional metrics that enable us to understand software and test it. Complexity, object-oriented metrics, and other metrics that help us understand the characteristics of our codebase are certainly relevant to software security. Software testing and code coverage metrics are also very relevant."

"Most exploits are about interactions: interactions between code statements, interactions between data and control flow, interactions between modules, interactions between your codebase and library routines, and interactions between your code and attack surface modules. Being cognizant of paths and subtrees within code is crucial for determining sneak paths, impact analysis, and testing to verify control flow integrity."

"For many years experts have been saying that software complexity is the worst enemy of security," says David Belhumeur, McCabe Software's CEO. "We must always be concerned about the vulnerability of critical software applications, especially when it could affect national security. Failure to uncover complexity, which is the root of vulnerability, could have dire consequences." 

This came from PR Web

Testing quality assurance QA