About Auditing

When Fortify Static Code Analyzer scans sourceA place in the code where malicious data can enter. code, all of its discoveries are presented as potential vulnerabilities, not actual vulnerabilities. Because every applicationA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. is unique and all functionality runs within a particular context understood best by the development team, no technology can fully determine if a suspect behavior should be considered a vulnerabilityA weakness that allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. (same as issue) without direct developer confirmation.

Issue audits, whether performed in Fortify Software Security Center or Audit Workbench, or by Audit AssistantAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives., accomplish the following:

• Condense and focus application information
• Enable the security team to collaboratively decide which issues represent real vulnerabilities
• Enable the security team to collaboratively prioritize issues based on vulnerability

Fortify Software Security Center uses issue templates to categorize and display issues.

See Also

Setting the Strategy for Resolving Issue Audit Conflicts