Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules
September 2017 • Presentation
Lori Flynn, David Svoboda, William Snavely
In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.
Abstract
In this tutorial, given at the 2017 IEEE Secure Development Conference, SEI researchers describe auditing rules and a lexicon that the SEI developed so audit determinations are made consistently, even in corner cases they identify. The slides show real open-source code examples (and alerts from open-source static analysis tools) for participants and readers to make their own auditing determinations and check against the SEI’s determinations using the rules.
During the tutorial, participants worked hands-on to make their auditing determinations, some using virtual machines distributed by the tutorial leaders and others using printouts.