Software Engineering Institute

Lori Flynn

Software Engineering Institute

Lori Flynn is a Software Security Engineer at CERT, in the Software Engineering Institute of Carnegie Mellon University. Flynn's ongoing work includes the development of new secure coding rules and composable static analysis of apps to check for compliance with data flow rules on Android platforms. Past experience includes network security research, standards-based security analyses, and collaboration on a novel static analysis method for polymorphic program detection that resulted in a patent. Flynn’s Ph.D. research focused on secure multicast routing protocols for ad hoc mobile networks.

Publications by Lori Flynn

Rapid Adjudication of Static Analysis Alerts During Continuous Integration

November 07, 2021 • Presentation

Lori Flynn

This project developed algorithms and a static analysis classification system for use with continuous integration, enabling more secure software with less effort.
read
Rapid Adjudication of Static Analysis Alerts During Continuous Integration

November 05, 2021 • Video

Lori Flynn

This short video provides an introduction to a research topic presented at the SEI Research Review 2021.
watch
SCAIFE and ACR: Static Analysis Classification and Automated Code Repair

September 15, 2021 • Presentation

Lori Flynn William Klieber

Flynn and Klieber describe their research and concept for a combined system for static analysis classification and automated code repair.
read
Test Suites as a Source of Training Data for Static Analysis Classifiers

August 30, 2021 • Video

Lori Flynn

This video by Lori Flynn was recorded as part of the ACM/IEEE International Conference on Automation of Software Test AST 2021 (co-located with ICSE).
watch
Static Code Analysis Classification

December 15, 2020 • Video

Lori Flynn William Klieber Robert Schiela

Progress in research toward the rapid adjudication of static analysis alerts during continuous integration
watch
Automated Code Repair for Memory Safety

December 15, 2020 • Video

William Klieber Lori Flynn Robert Schiela

Work aims to develop technique to eliminate security vulnerabilities at a lower cost than manual repair
watch
Rapid Adjudication of Static Analysis Alerts During Continuous Integration

December 15, 2020 • Video

Lori Flynn Robert Nord Hasan Yasar

Progress in research toward the rapid adjudication of static analysis alerts during continuous integration.
watch
Rapid Adjudication of Static Analysis Alerts During CI

November 04, 2020 • Presentation

Lori Flynn

Progress in research toward the rapid adjudication of static analysis alerts during continuous integration
read
Poster - Rapid Adjudication of Static Analysis Meta-Alerts During Continuous Integration

November 04, 2020 • Poster

Lori Flynn

CMU SEI is conducting research to enable static analysis meta-alerts to be adjudicated quickly during continuous integration.
read
Static Analysis Classification: Line-Funded Research FY16-20

November 03, 2020 • Presentation

Lori Flynn

CMU SEI researchers developed several static analysis techniques and tools to enable practical classification that leads to more secure software and lowered cost.
read
Static Analysis Classification Research FY16-20 for Software Assurance Community of Practice

September 22, 2020 • Presentation

Lori Flynn

This presentation summarizes Flynn's FY16-20 research projects; DoD collaborators are invited to test their CI code development systems; others are invited to share their labeled data.
read
Using AI to Find Security Defects in Code / Build More Secure Software

September 16, 2020 • Presentation

Lori Flynn

This presentation discusses how to use AI to find defects in code and provides updates about the presenter's FY16-20 SEI research.
read
How to Instantiate SCAIFE API Calls: Using SEI SCAIFE Code, the SCAIFE API, Swagger-Editor, and Developing Your Tool with Auto-Generated Code

July 23, 2020 • User's Guide

Lori Flynn Ebonie McNeil Joseph D. Yankel

This technical manual provides techniques to help you start to instantiate SCAIFE API methods to integrate your own tools.
read
Rapid Construction of Accurate Automatic Alert Handling System (video)

November 11, 2019 • Video

Lori Flynn Ebonie McNeil

Watch SEI principal investigator, Dr. Lori Flynn and SEI researcher Ebonie McNeil discuss their prototype of a tool that enables the rapid adoption of accurate, automated static analysis alerts classifiers to overcome cost and data barriers.
watch
Rapid Construction of Accurate Automatic Alert Handling System (2019)

October 28, 2019 • Presentation

Lori Flynn Ebonie McNeil

This presentation describes progress toward developing a reference architecture and prototype that enables rapid deployment of a method intended to automatically, accurately, and adaptively classify and prioritize alerts.
read
Rapid Construction of Accurate Automatic Alert Handling System (2019)

October 28, 2019 • Poster

Lori Flynn Ebonie McNeil

This poster includes information about research to develop a prototype source code analysis integrated framework environment.
read
Automating Alert Handling Reduces Manual Effort

August 23, 2019 • Video

Lori Flynn

To make alert handling more efficient, the SEI developed and tested novel software that enables the rapid deployment of a method to classify alerts automatically and accurately.
watch
SCAIFE API Definition Beta Version 0.0.2 for Developers

June 14, 2019 • White Paper

Lori Flynn Ebonie McNeil

This paper provides the SCAIFE API definition for beta version 0.0.2. SCAIFE is an architecture that supports static analysis alert classification and prioritization.
read
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe

May 13, 2019 • Technical Report

Lori Flynn Ebonie McNeil David Svoboda

This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
read
Improve Your Static Analysis Audits Using CERT SCALe’s New Features

December 18, 2018 • Webinar

Lori Flynn

In this webcast, Lori Flynn, a CERT senior software security researcher, describes the new features in SCALe v3, a research prototype tool.
watch
Improve Your Static Analysis Audits Using CERT SCALe’s New Features

November 08, 2018 • Presentation

Lori Flynn

Learn how to become a research project collaborator for SCALe v3.
read
Scaling Software Testing and Evaluation

October 24, 2018 • Presentation

Lori Flynn

Discussion of FY18 CMU SEI research in test and evaluation
read
Rapid Construction of Accurate Automatic Alert Handling

October 23, 2018 • Poster

Lori Flynn

This poster describes the development of an extensible architecture for the classification and advanced prioritization of flaws in code.
read
Automating Static Analysis Alert Handling with Machine Learning: 2016-2018

September 21, 2018 • Presentation

Lori Flynn

This presentation was presented by author Lori Flynn to Raytheon's Systems and Software Assurance Technology Interest Group.
read
Using Test Suites for Static Analysis Alert Classifiers

September 20, 2018 • Podcast

Lori Flynn Zachary Kurtz

CERT researchers Lori Flynn and Zach Kurtz discuss ongoing research using test suites as a source of labeled training data to create classifiers for static analysis alerts.
learn more
Practical Precise Taint-flow Static Analysis for Android App Sets

August 27, 2018 • White Paper

William Klieber Lori Flynn William Snavely

This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
read
Prioritizing Alerts from Multiple Static Analysis Tools, Using Classification Models

August 14, 2018 • Conference Paper

Lori Flynn William Snavely David Svoboda

This paper was accepted by the SQUADE workshop at ICSE 2018. It describes the development of several classification models for the prioritization of alerts produced by static analysis tools and how those models were tested for accuracy.
read
Challenges and Progress: Automating Static Analysis Alert Handling with Machine Learning

April 23, 2018 • Presentation

Lori Flynn

Lori Flynn describes some of the accomplishments and challenges of the FY16-17-18 classifier research she led.
read
Rapid Expansion of Classification Models to Prioritize Static Analysis Alerts for C

October 30, 2017 • Presentation

Lori Flynn

Presentation on research a method to automatically classify and prioritize alerts that minimizes manual effort to address the large volume of alerts
read
Rapid Expansion of Classification Models to Prioritize Static Analysis Alerts for C

October 30, 2017 • Poster

Lori Flynn

Poster on research to create a method to automatically classify and prioritize alterts
read
Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules

September 24, 2017 • Presentation

Lori Flynn David Svoboda William Snavely

In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.
read
DidFail: Coverage and Precision Enhancement

July 06, 2017 • Technical Report

Karan Dwivedi (No Affiliation)Hongli Yin (No Affiliation)Pranav Bagree (No Affiliation)

This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
read
SEI Cyber Minute: Code Flaw Alert Classification

June 14, 2017 • Video

Lori Flynn

Watch Lori Flynn in this SEI Cyber Minute as she discusses "Code Flaw Alert Classification".
watch
Static Analysis Alert Audits: Lexicon & Rules

November 03, 2016 • Conference Paper

David Svoboda Lori Flynn William Snavely

In this paper, the authors provide a suggested set of auditing rules and a lexicon for auditing static analysis alerts.
read
Prioritizing Alerts from Static Analysis with Classification Models

November 01, 2016 • Presentation

Lori Flynn

In this presentation, Lori Flynn describes work toward an automated and accurate statistical classifier, intended to efficiently use analyst effort and to remove code flaws.
read
Prioritizing Alerts from Static Analysis with Classification Models

October 18, 2016 • Poster

Lori Flynn

This poster describes CERT Division research on an automated and accurate statistical classifier.
read
Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

November 30, 2015 • Webinar

Lori Flynn William Klieber

Will Klieber and Lori Flynn discuss undesired flows of sensitive information within and between Android apps.
watch
Smartphone Security

October 01, 2015 • Article

Lori Flynn William Klieber

In this article, published in IEEE Pervasive Computing, the authors discuss various smartphone security issues and present tools and strategies to address them.
read
Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

June 24, 2015 • Presentation

William Klieber Lori Flynn Amar S. Bhosale (Carnegie Mellon Heinz School)

In this presentation, the authors describe how to use DidFail, a tool that detects potential leaks of sensitive information in Android apps.
read
Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets

March 04, 2015 • Technical Report

Jonathan Burket Lori Flynn Will Klieber

In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.
read
Android Taint Flow Analysis for App Sets

June 12, 2014 • Presentation

Will Klieber Lori Flynn Amar S. Bhosale (Carnegie Mellon Heinz School)

In this presentation at the SOAP 2014 workshop, the authors describe their taint flow analysis for Android applications.
read
Android Taint Flow Analysis for App Sets

May 07, 2014 • Conference Paper

Will Klieber Lori Flynn Amar S. Bhosale (Carnegie Mellon Heinz School)

This paper describes a new static taint flow analysis that precisely tracks both inter-component and intra-component data flow in a set of Android applications.
read
International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany

April 16, 2014 • Technical Report

Lori Flynn Carly L. Huth Palma Buttles-Valdez

This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled “Best Practices Against Insider Threats in All Nations.”
read
Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase II, Expanded Analysis and Recommendations

January 08, 2014 • Technical Note

Lori Flynn Greg Porter (Heinz College at Carnegie Mellon University)Chas DiFatta (No Affiliation)

In this report, the authors discuss the countermeasures that cloud service providers use and how they understand the risks posed by insiders.
read
Mobile SCALe: Rules and Analysis for Secure Java and Android Coding

November 08, 2013 • Technical Report

Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering)Lori Flynn Limin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering)

In this report, the authors describe Android secure coding rules, guidelines, and static analysis developed as part of the Mobile SCALe project.
read
Four Insider IT Sabotage Mitigation Patterns and an Initial Effectiveness Analysis

October 22, 2013 • Conference Paper

Lori Flynn Jason W. Clark Andrew P. Moore

In this paper, the authors describe four patterns of insider IT sabotage mitigation and initial results from 46 relevant cases for pattern effectiveness.
read
Best Practices Against Insider Threats in All Nations

August 27, 2013 • Technical Note

Lori Flynn Carly L. Huth Randall F. Trzeciak

In this report, the authors summarize best practices for mitigating insider threats in international contexts.
read
Results of SEI Line-Funded Exploratory New Starts Projects: FY 2012

July 01, 2013 • Technical Report

Bjorn Andersson Lori Flynn David P. Gluch

This report describes line-funded exploratory new starts (LENS) projects that were conducted during fiscal year 2012 (October 2011 through September 2012).
read
Mitigating Insider Threat - New and Improved Practices Fourth Edition

February 28, 2013 • Podcast

George Silowash Lori Flynn Julia H. Allen

In this podcast, participants explain how 371 cases of insider attacks led to 4 new and 15 updated best practices for mitigating insider threats.
learn more
Chronological Examination of Insider Threat Sabotage: Preliminary Observations

December 01, 2012 • White Paper

William R. Claycomb Carly L. Huth Lori Flynn

In this paper, the authors examine 15 cases of insider threat sabotage of IT systems to identify points in the attack time-line.
read
Common Sense Guide to Mitigating Insider Threats, Fourth Edition

December 01, 2012 • Technical Report

George Silowash Dawn Cappelli Andrew P. Moore

In this report, the authors define insider threats and outline current insider threat patterns and trends.
read
Best Practices Against Insider Threats in All Nations

October 30, 2012 • Conference Paper

Lori Flynn Carly L. Huth Randall F. Trzeciak

In this paper, the authors summarize best practices for mitigating insider threats in international contexts.
read