Application Security

McCabe IQ for the Testing of Software Vulnerability

McCabe IQ is built for software engineers and security analysts who need to execute security or vulnerability analysis on complex software. Unlike other software security tools, McCabe IQ uses a path-oriented approach that enables engineers to understand interactions and verify exploitable paths within a codebase. This is crucial when determining exploitability, modeling attack space and performing vulnerability analysis.

McCabe IQ includes many features that can be used in the security analysis of your software. We recommend that your processes include the following:

Analyze the Attack Surface Leveraging Path Analysis

To determine the reachability, exploitability, and impact of vulnerable code (including visualization and structural complexity metrics), then to determine the effectiveness of testing of that attackable subset of code.

Analyze the effectiveness of security requirements testing or security tool testing using path coverage

In order to get the most out of testing efforts, developers, test teams, and management must have a firm understanding of the application, their testing goals, and the resources that are needed to meet those goals. McCabe IQ Test Team Edition graphically displays the application architecture and all possible test paths through the system. Knowing the test paths in advance, enables the proper planning and accurate estimations of time and costs needed to execute a proper test plan that handles the coding aspects of the threat analysis.

McCabe IQ Test Team Edition's visual environment allows you to plan software testing resources in advance, identifying test paths and the number of tests required.

Application Security AttackMap

Compare complexity metrics with known vulnerable code to identify additional vulnerable code

The most common question asked during software testing is: "When have I tested enough?" McCabe IQ Test Team Edition answers this question with detailed status reports of testing efforts and recommendations on where to focus additional testing.

The McCabe IQ Test Team Edition Battlemap shows precisely which modules in your application have been fully tested (green), partially tested (yellow), or are untested (red).

Coverage Screen

Optimize Testing Efforts

McCabe IQ is a critical tool for your security analysis, providing an understanding of your software's control flow relative to vulnerable and exploitable code, including Attack Surfaces/Targets/Maps/Trees.Many types of security analysis and security testing tools exist, but most are limited in their code visualization and structural analysis capabilities. Most current analysis methods are not flow sensitive, context sensitive, or object sensitive. This leads to imprecision and thus to a high number of false alarms. A false negative is when the same vulnerability is exploited without being reported. This can occur if the tainted input is propagated along a different code path than in the sample exploit, or if the overwritten sensitive value is misused at a different location.
Typically, after a security tool points to a possible exploit, it is left up to the programmer to understand the code and design, determine the scope and nature of the exploit and then fix the bug in software that is often complex or, in other instances, developed by someone else. Security flaw exploitability means reachability and requires a security analyst to be cognizant of paths within code and design. Tools that aid an analyst in triage activities such as understanding the attack surface, the useable attack surface and attack trees are invaluable to software security - no other solution helps you understand your critical applications like McCabe IQ.
If you already have security tools deployed, McCabe IQ augments those tools and related processes, and helps you take full advantage of your overall investment in the security of your critical applications.
McCabe IQ has been the preeminent tool for modeling control flow and path analysis for decades. Its path-oriented nature can help you quickly understand the structure of your code and perform basis path testing of that code, as you analyze vulnerable and exploitable Attack Surfaces/Targets/Maps/Trees. McCabe IQ provides extensive control flow graphics depicting functional structure, class relationships, structural subtrees, and unit level flowgraphs. Its test path and execution code coverage information are tightly integrated and are overlaid on those same graphical views.

© 2017 SoftQuaTra Ltd. Site Map | Contact Us