Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type


Publication Date

William Snavely
October 2018 - Technical Report Composing Effective Software Security Assurance Workflows

Topics: Software Assurance, Process Improvement, Performance and Dependability

In an effort to determine how to make secure software development more cost effective, the SEI conducted a research study to empirically measure the effects that security tools—primarily automated static analysis tools—had on costs and benefits.

October 2018 - Conference Paper Detecting Leaks of Sensitive Data Due to Stale Reads

Topics: Secure Coding

This paper introduces a heuristic-driven dynamic analysis that aims to detect reads that may be accessing stale sensitive data.

August 2018 - Conference Paper Prioritizing Alerts from Multiple Static Analysis Tools, Using Classification Models

This paper was accepted by the SQUADE workshop at ICSE 2018. It describes the development of several classification models for the prioritization of alerts produced by static analysis tools and how those models were tested for accuracy.

September 2017 - Presentation Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules

Topics: Secure Coding

In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.

July 2017 - Technical Report DidFail: Coverage and Precision Enhancement

Topics: Secure Coding

This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.

November 2016 - Conference Paper Automated Code Repair Based on Inferred Specifications

Topics: Secure Coding

In this paper, the authors describe automated repairs for three types of bugs: integer overflows, missing array bounds checks, and missing authorization checks.

November 2016 - Conference Paper Static Analysis Alert Audits: Lexicon & Rules

Topics: Secure Coding

In this paper, the authors provide a suggested set of auditing rules and a lexicon for auditing static analysis alerts.

March 2015 - Technical Report Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets

Topics: Secure Coding

In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.