Using Test Suites for Static Analysis Alert Classifiers
• Podcast
Publisher
Software Engineering Institute
Listen
Watch
Abstract
Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that engineers must painstakingly examine to find legitimate flaws. Researchers in the SEI’s CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool to help analysts be more efficient and effective at auditing static analysis alerts. In this podcast, CERT researchers Lori Flynn and Zach Kurtz discuss ongoing research using test suites as a source of labeled training data to create classifiers for static analysis alerts.
About the Speaker
Lori Flynn
Dr. Lori Flynn is a senior software security researcher in the CERT Division at Carnegie Mellon University's Software Engineering Institute. Flynn's research focuses on automated software security analyses using static analysis. Sometimes her work extends to cybersecurity, AI/ML, automated program repair, malware analysis, SBOM/SCA tools, DevSecOps, and mobile computing. She …
Read more
Zachary Kurtz
Dr. Zach Kurtz is an SEI alumni employee.
Dr. Zach Kurtz is a data scientist with experience on projects in fields as diverse as cybersecurity, public transit, psychology, marketing analytics, ecology, medicine, human rights, and international capital flows. Kurtz’s dissertation built on capture-recapture theory to introduce a new method for …
Read more