A software system can be considered as a collection of data and procedures that are separated from the environment and interact with it through channels of communication. If we assume that the system does not contain any Trojan horse code, then the only way it can be attacked is during
the processing of input through interactions with the environment. While most methodologies attempt to identify security vulnerabilities in the local context, proposes the use of complete input tracing that examines the source code and identifies all possible inputs from malicious sources,
traces the input flow from the source until termination of use and compares the flow segments for known security vulnerability constructs. Discusses input flow tracing and its benefits such as the provision of metrics for security assurance, complete vulnerability assessment and the ability
to examine combinations of vulnerabilities.