Software Engineering Institute

In this tutorial, given at the 2017 IEEE Secure Development Conference, SEI researchers describe auditing rules and a lexicon that the SEI developed so audit determinations are made consistently, even in corner cases they identify. The slides show real open-source code examples (and alerts from open-source static analysis tools) for participants and readers to make their own auditing determinations and check against the SEI’s determinations using the rules.

During the tutorial, participants worked hands-on to make their auditing determinations, some using virtual machines distributed by the tutorial leaders and others using printouts.