Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library


Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules

  • Abstract

    In this tutorial, given at the 2017 IEEE Secure Development Conference, SEI researchers describe auditing rules and a lexicon that the SEI developed so audit determinations are made consistently, even in corner cases they identify. The slides show real open-source code examples (and alerts from open-source static analysis tools) for participants and readers to make their own auditing determinations and check against the SEI’s determinations using the rules.

    During the tutorial, participants worked hands-on to make their auditing determinations, some using virtual machines distributed by the tutorial leaders and others using printouts.

  • Download