Blog Posts
Release of SCAIFE System Version 1.0.0 Provides Full GUI-Based Static-Analysis Adjudication System with Meta-Alert Classification
The SEI Source Code Analysis Integrated Framework Environment (SCAIFE) is a modular architecture designed to enable a wide variety of tools, systems, and users to use artificial intelligence (AI) classifiers …
• By Lori Flynn
A Public Repository of Data for Static-Analysis Classification Research
This blog post describes a new repository of labeled data that CERT is making publicly available for many code-flaw conditions. Researchers can use this dataset along with the associated code …
• By Lori Flynn
In Secure Development
Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System
Static analysis tools analyze code without executing it to identify potential flaws in source code. Since alerts may be false positives, engineers must painstakingly examine them to adjudicate if they …
• By Lori Flynn
An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts
In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts.
• By Lori Flynn, Ebonie McNeil
In Secure Development
SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts
Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer …
• By Lori Flynn, Ebonie McNeil
In Secure Development
SCALe: A Tool for Managing Output from Static Analysis Tools
Experience shows that most software contains code flaws that can lead to vulnerabilities. Static analysis tools used to identify potential vulnerabilities in source code produce....
• By Lori Flynn
In Secure Development
Test Suites as a Source of Training Data for Static Analysis Alert Classifiers
Numerous tools exists to help detect flaws in code. Some of these are called flaw-finding static analysis (FFSA) tools because they identify flaws by analyzing code without running it....
• By Lori Flynn, Zachary Kurtz
In Secure Development
Automated Detection of Information Leaks in Mobile Devices
Exfiltration of sensitive data on mobile devices is a major concern for the DoD, other organizations, and individuals. Colluding apps in public use have been discovered by security researchers. The …
• By Lori Flynn, Will Klieber
Prioritizing Security Alerts: A DoD Case Study
Federal agencies and other organizations face an overwhelming security landscape. The arsenal available to these organizations for securing software includes static analysis tools, which search code for flaws, including those …
• By Lori Flynn
In Secure Development
Prioritizing Alerts from Static Analysis to Find and Fix Code Flaws
In 2015, the National Vulnerability Database (NVD) recorded 6,488 new software vulnerabilities, and the NVD documents a total of 74,885 software vulnerabilities discovered between 1988-2016. Static analysis tools examine code …
• By Lori Flynn
In Secure Development
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.