Configuring Audit Assistant Options for an Application Version

To configure Audit AssistantClosedAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives. options for an application versionClosedA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed.:

  1. Check to make sure that Fortify Software Security Center has been configured to use Audit Assistant with your applications. (See Configuring Audit Assistant.)

  2. From the Dashboard, select the applicationClosedA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. version for which you want to configure Audit Assistant options.

  3. On the AUDIT page, click PROFILE.

    The APPLICATION PROFILE - <application_name> <application_version> window opens to the ADVANCED OPTIONS section.

  4. Click AUDIT ASSISTANT OPTIONS.

  5. From the Application version prediction policyClosedPrediction policies determine the confidence thresholds that Scan Analytics uses to determine which issues to treat as indeterminate - that is, neither a true issue nor a non-issue. To use Scan Analytics to process your scan results, you must first define one or more prediction policies. When you submit a new scan for prediction, each issue is assessed based on the prediction policy you have specified. list, select the prediction policyClosedA collection of audit engines and attack agents that Fortify WebInspect and Fortify WebInspect Enterprise use when auditing or crawling a Web application. Each component has a specific task, such as testing for susceptibility to cross-site scripting, building the site tree, probing for known server vulnerabilities, etc. These components are organized into the following groups: Audit Engines, General Application Testing, General Text Searching, Third-Party Web Applications, Web Frameworks/Languages, Web Servers, Web Site Discovery, and Custom Checks that you want Audit Assistant to apply to this application version.

    Note: You can specify an application version prediction policy only if the Enable specific application version policies option is enabled system-wide. (See Configuring Audit Assistant.) Otherwise, Audit Assistant uses the default prediction policy.

    If you choose not to specify a prediction policy for the application version, Audit Assistant uses the default prediction policy.

  6. To have Audit Assistant automatically send unaudited issues for this application version to the Fortify Scan AnalyticsClosedAn application that helps you to determine which of the issues returned in Fortify Static Code Analyzer scan results represent true vulnerabilities, and which do not. To make its determinations, Scan Analytics needs data to establish a baseline for its audits. This data consists of the decisions users have made during scan audits about how to characterize various issues uncovered in code scans. server for assessmentClosedThe overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as scan), select the Enable auto-predictionClosedThe automatic prediction (or assessment) of unassessed issues by Audit Assistant (through Fortify Scan Analytics). check box.

    Note: The Enable auto-prediction and Enable auto-apply check boxes are available only if those auditClosedThe process of assessing an application or program for security vulnerabilities. settings are enabled system-wide. (See Configuring Audit Assistant.)

  7. To have Audit Assistant automatically assign predicted values from the Scan Analytics server to the mapped custom tagClosedDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag. values, select the Enable auto-apply check box.
  8. Click APPLY.

See Also

Configuring Audit Assistant