SEI CERT Division Releases SCALe App
August 16, 2018
CERT Division of the Software Engineering Institute (SEI) at Carnegie
Mellon University has released its Source Code Analysis Laboratory (SCALe)
application. This is the first release of the SCALe application to the
public via open-source.
SCALe can be used for auditing software in any source code language.
This version of SCALe provides categories of alerts for tools based on
two code flaw taxonomies—CERT Secure Coding Standards and MITRE’s Common
Weakness Enumeration (CWE). The CERT Secure Coding Standards support
detailed guidance for secure development in C, C++, Java, and Perl.
The SCALe application can be used to identify source code flaws that may
lead to vulnerabilities. By using output from multiple flaw-finding
static analysis tools, SCALe can be used to efficiently analyze more
code defects than any single static analysis tool would find.
“Using multiple static analysis tools can greatly increase the types of
flaws found,” said Lori Flynn, senior software security researcher at
the SEI. “The alerts must be examined by an expert who determines
whether each alert represents an actual code defect. Typically there are
too many alerts, and not all can be manually examined. The SCALe system
is designed to make this process easier. We are researching ways to
automate the process of accurate alert classification and sophisticated
methods of alert prioritization, and this version of SCALe includes
features added over the last three years intended to assist with that.”
SCALe application simplifies the process of auditing alerts. It takes as
input the source code for a program, plus output from static analysis
tools (flaw-finding tools and code metrics tools) that were run on the
code. With this input, it provides a browser-based interface to the
alerts and their associated code. It provides simple prioritizations of
the alerts and relevant information about the potential vulnerabilities
and how to fix the code based on the CERT Secure Coding Standards and
CWEs. It makes auditor work more efficient by fusing alerts into a
single view that requires only one audit determination.
SCALe provides an easy-to-use graphical user interface for examining
alerts, identifying true positives and other determinations, and saving
the audit information to a database.