Code Risk Estimation Worksheet (CREW) v5.24 User Manual
Abstract
Numerous high-profile cyberattacks on critical US computer systems emphasize the risks poor quality code presents to US national security and American economic leadership. Code Risk Estimation Worksheet (CREW) assessments were developed by SEI to help solve this problem, by identifying the structural code quality, e.g., the quality of a codebase, rather than functional code quality, e.g., how well the code fulfils mission requirements. CREW objectifies risk estimation by directing analysts to answer code-level questions after leveraging static analysis (SA) tools and reading subsections of the source code. This document serves as a user manual for CREW analysts and provides guidance on what methodologies to use when answering questions contained in CREW. The above chapters provide an overview of each CREW tab, followed by instructions on how to answer each individual question contained in the given tab. Ultimately, the CREW framework helps analysts improve the thoroughness, objectivity, consistency, and traceability of critical embedded system code assessments.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 15, 2023
- Accession Number
- AD1201273
Entities
People
- Alan Cohn
- David Svoboda
- Jay Marchetti
- Mena Kostial
- Michael Riley
- Nicholas Reimer
- Ryan Karl
Organizations
- Carnegie Mellon University