Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library


Using Test Suites for Static Analysis Alert Classifiers

  • Watch

  • Listen

    Loading Podcast.....
  • Related

    SEI Blog Post | Static Analysis Alert Test Suites as a Source of Training Data for Alert Classifiers

  • Abstract

    Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that engineers must painstakingly examine to find legitimate flaws. Researchers in the SEI’s CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool to help analysts be more efficient and effective at auditing static analysis alerts. In this podcast, CERT researchers Lori Flynn and Zach Kurtz discuss ongoing research using test suites as a source of labeled training data to create classifiers for static analysis alerts. 

  • Transcript

About the Speaker

  • Lori Flynn

    Dr. Lori Flynn is a software security engineer at CERT, in the Software Engineering Institute of Carnegie Mellon University. Flynn's ongoing work includes the development of new secure coding rules and composable static analysis of apps to check for compliance with data flow rules on Android platforms. Past experience includes network security research, standards-based security analyses, and collaboration on a novel static analysis method for polymorphic program detection that resulted in a patent. Flynn’s Ph.D. research focused on secure multicast routing protocols for ad hoc mobile networks.

  • Zach Kurtz

    Dr. Zach Kurtz is a data scientist with experience on projects in fields as diverse as cybersecurity, public transit, psychology, marketing analytics, ecology, medicine, human rights, and international capital flows. Kurtz’s dissertation built on capture-recapture theory to introduce a new method for estimating the sizes of partially observed populations. At the SEI, Kurtz has developed new evaluation methodologies for open-ended cyber warning competitions, built text-based classifiers, and designed cyber incident data visualization tools.