McCabe Advises Homeland Security on the Complex Issue of Software Risk

Share Article

Discussion of software quality metrics risk opens eyes at annual DHS/DoD forum.

Tom McCabe, Jr. of McCabe Software, Inc. had the pleasure of speaking at the annual DHS-DOD Software Assurance Forum in Fairfax, VA last week.

McCabe brought his 20+ years of experience to the fore while pointing out that the keys to eliminating software vulnerability lie in the use of software complexity metrics, measuring control flow integrity and conducting sneak path analysis.

"There are no silver bullets when it comes to security metrics. Many of the issues surrounding security analysis are intertwined with fundamental software engineering principles," says McCabe. "Metrics such as the Relative Attack Surface Quotient (RASQ) from Microsoft, should be used in conjunction with traditional metrics that enable us to understand software and test it. Complexity, object-oriented metrics, and other metrics that help us understand the characteristics of our codebase are certainly relevant to software security. Software testing and code coverage metrics are also very relevant."

"Most exploits are about interactions: interactions between code statements, interactions between data and control flow, interactions between modules, interactions between your codebase and library routines, and interactions between your code and attack surface modules. Being cognizant of paths and subtrees within code is crucial for determining sneak paths, impact analysis, and testing to verify control flow integrity."

"For many years experts have been saying that software complexity is the worst enemy of security," says David Belhumeur, McCabe Software's CEO. "We must always be concerned about the vulnerability of critical software applications, especially when it could affect national security. Failure to uncover complexity, which is the root of vulnerability, could have dire consequences."

About McCabe Software, Inc.
McCabe Software provides Software Quality Management solutions worldwide and has worked with the Department of Defense, all branches of the US Military, and defense contractors such as Lockheed Martin, Raytheon, Northrop Grumman, Boeing, BAE Systems, and more for over 30 years. McCabe's flagship source code analysis solution, "McCabe IQ" analyzes the quality and test coverage of critical applications, utilizing a comprehensive set of software metrics including the McCabe-authored Cyclomatic Complexity metric. McCabe Software has offices in the United States and distribution worldwide, and can be found on the web at


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jon Palmisano
Visit website