Dr. Lori Flynn is a senior software security researcher in the CERT Division at Carnegie Mellon University's Software Engineering Institute. Flynn's research focuses on automated software security analyses using static analysis. Sometimes her work extends to cybersecurity, AI/ML, automated program repair, malware analysis, SBOM/SCA tools, DevSecOps, and mobile computing. She has proposed and led many research projects and a small number of contract projects. She contributes to the academic and government research communities through participation in and leadership of working groups and conferences.

In previous work at Bell Labs, Flynn co-invented a patented static analysis method to create signatures for polymorphic executables. She also founded a penetration-testing group and physical test network within Bell Labs Internet Research Lab.

At the SEI, Flynn is currently contributing to two research projects as a code developer, tester, and co-author (topics: automated code repair for static analysis alerts and developing a static analysis using LLVM intermediate representation to analyze for tainted data flows for detection of possible malware). Continuously through the six years FY16 through FY21, Flynn was the principal investigator of a series of four line-funded research projects involving use of machine learning to automate handling of static analysis results. Topics within that research include: (FY20-21) precise adjudication cascading for use of static analysis classification during continuous integration (CI),(FY18-19) developing an extensible architecture to enable wider use of static analysis classification (with less investment cost, data, and experts required to set up and use such a system than was previously required), (FY17) developed static analysis auditing rules and a lexicon to improve data quality, plus developed a novel approach to use test suites to automate the production of labeled (true/false) data for many code flaws to address the issue of too little labeled data that previously resulted in imprecise classifiers for those code flaws, and (FY16) using multiple static analysis tools as features to improve classifier precision. She collaborated with many DoD and non-DoD organizations on these projects, many of which were her continuing collaborators for years. The projects developed artifacts that include algorithms, many tools, datasets, papers, presentations, and training materials. Some of these have been transitioned (tools and training materials) via separate projects contracted by DoD organizations and DoD contractors. Another series of research projects she led developed DidFail, the first taint flow static analysis algorithm for Android app sets, implementing and enhancing the precision and coverage of the algorithm. She also led initial development of the CERT Secure Coding Standard for Android. Flynn has been involved in some cross-SEI efforts including leading the Flexibility Working Group during the FY23 NI4CA project and working on the R&T (“RAT”) subcommittee as part of SEI’s multi-year Strategic Initiative effort.

Throughout her time at SEI, Flynn has also contributed to the research community through participation on many conference/workshop program committees, plus work as a conference/workshop organizer, including multiple stints as co-chair and chair. Since FY23, Flynn has served as co-chair of the Tools Working Group of the Software Assurance Community of Practice which is co-organized by the Department of Defense/National Nuclear Security Administration (DoD/NNSA).

Flynn holds a PhD in Computer Science from the University of California at Santa Cruz and a BS in Molecular Biology from the University of Wisconsin-Parkside. Her doctoral dissertation focus was multicast routing with qualifiers for ad-hoc mobile networks.