search menu icon-carat-right cmu-wordmark

Posts by Lori Flynn

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

• Blog
Lori Flynn

This post was co-written by Ebonie McNeil. In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts. It is designed so that a wide variety of static analysis tools can integrate with the SCAIFE system using the API. The API is pertinent to organizations that develop or research static analysis alert auditing tools, aggregators, and frameworks....

Read More
SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

• Blog
Lori Flynn

This post was co-authored by Ebonie McNeil. Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in Lori's first blog post on this topic, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool since 2010 as part of our...

Read More
SCALe: A Tool for Managing Output from Static Analysis Tools

SCALe: A Tool for Managing Output from Static Analysis Tools

• Blog
Lori Flynn

Experience shows that most software contains code flaws that can lead to vulnerabilities. Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in this blog post, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool, as we have researched and prototyped methods to help analysts...

Read More
Test Suites as a Source of Training Data for Static Analysis Alert Classifiers

Test Suites as a Source of Training Data for Static Analysis Alert Classifiers

• Blog
Lori Flynn

This post was co-written by Zachary Kurtz and Will Snavely. Numerous tools exist to help detect flaws in code. Some of these are called flaw-finding static analysis (FFSA) tools because they identify flaws by analyzing code without running it. Typical output of an FFSA tool includes a list of alerts for specific lines of code with suspected flaws. This blog post presents our initial work on applying static analysis test suites in a novel way...

Read More
Automated Detection of Information Leaks in Mobile Devices

Automated Detection of Information Leaks in Mobile Devices

• Blog
Lori Flynn

This blog post is also authored by William Klieber. Exfiltration of sensitive data on mobile devices is a major concern for the DoD, other organizations, and individuals. Colluding apps in public use have been discovered by security researchers. The Mobile App Collusion attack, which spread across thousands of Android packages, is an example. Colluding apps, or a combination of a malicious app and leaky app, can use intents (messages sent to Android app components) to...

Read More
Prioritizing Security Alerts: A DoD Case Study

Prioritizing Security Alerts: A DoD Case Study

• Blog
Lori Flynn

Federal agencies and other organizations face an overwhelming security landscape. The arsenal available to these organizations for securing software includes static analysis tools, which search code for flaws, including those that could lead to software vulnerabilities. The sheer effort required by auditors and coders to triage the large number of potential code flaws typically identified by static analysis can hijack a software project's budget and schedule. Auditors need a tool to classify alerts and to...

Read More
Prioritizing Alerts from Static Analysis to Find and Fix Code Flaws

Prioritizing Alerts from Static Analysis to Find and Fix Code Flaws

• Blog
Lori Flynn

In 2015, the National Vulnerability Database (NVD) recorded 6,488 new software vulnerabilities, and the NVD documents a total of 74,885 software vulnerabilities discovered between 1988-2016. Static analysis tools examine code for flaws, including those that could lead to software security vulnerabilities, and produce diagnostic messages ("alerts") indicating the location of the purported flaw in the source code, the nature of the flaw, and often additional contextual information. A human auditor then evaluates the validity of...

Read More
An Enhanced Tool for Securing Android Apps

An Enhanced Tool for Securing Android Apps

• Blog
Lori Flynn

This blog post was co-authored by Will Klieber. Each software application installed on a mobile smartphone, whether a new app or an update, can introduce new, unintentional vulnerabilities or malicious code. These problems can lead to security challenges for organizations whose staff uses mobile phones for work. In April 2014, we published a blog post highlighting DidFail (Droid Intent Data Flow Analysis for Information Leakage), which is a static analysis tool for Android app sets...

Read More
Secure Coding for the Android Platform

Secure Coding for the Android Platform

• Blog
Lori Flynn

Although the CERT Secure Coding team has developed secure coding rules and guidelines for Java, prior to 2013 we had not developed a set of secure coding rules that were specific to Java's application in the Android platform. Android is an important area to focus on, given its mobile device market dominance (82 percent of worldwide market share in the third quarter of 2013) as well as the adoption of Android by the Department of...

Read More

Contact the Author

Lori Flynn

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by Lori Flynn

View publications