Software Engineering Institute

There is no widely accepted lexicon or standard set of rules for auditing static analysis alerts in the software engineering community. Auditing rules and a lexicon should guide different auditors to make the same determination for an alert. Standard terms and processes are necessary so that initial determinations are correctly interpreted, which helps organizations reduce code flaws. They are also needed to improve the quality of audit data to benefit research on alert prioritization.

This paper provides a suggested set of auditing rules and a lexicon, detailing rationales based on modern software engineering practices for each rule and each lexicon term. Some code examples are provided with the auditing rules. The authors’ hope is that this suggested framework will motivate community discussion leading to agreed-upon standards.

The authors presented this paper at the IEEE Cybersecurity Development Conference (IEEE SecDev), which took place in Boston, MA on November 3-4, 2016.