Software Engineering Institute

Static analysis tools produce many alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. Carnegie Mellon University Software Engineering Institute researchers offer SCALe—Source Code Analysis Laboratory— to help analysts be more efficient and effective at auditing source code for security flaws. SCALe consists of tools and processes developed by CERT researchers to address problems when using multiple static analyzers, since no single analyze finds everything. Each analyzer provides its own interface for managing its alerts, complicating attempts to use multiple analyzers on the same codebase. SCALe has been used to analyze software for the DoD, energy delivery systems, medical devices, and more.