Configuring Audit Assistant

Audit AssistantClosedAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives. works with Fortify Scan AnalyticsClosedAn application that helps you to determine which of the issues returned in Fortify Static Code Analyzer scan results represent true vulnerabilities, and which do not. To make its determinations, Scan Analytics needs data to establish a baseline for its audits. This data consists of the decisions users have made during scan audits about how to characterize various issues uncovered in code scans. to help determine whether or not the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities.

To configure Fortify Software Security Center to use Audit Assistant with your applications:

  1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify header, select ADMINISTRATION.

  2. In the left panel, select Configuration, and then select Audit Assistant.

  3. Configure the settings on the Audit Assistant page as described in the following table.

    Field* Required

    Description

    Enable Audit Assistant

    Select this check box to enable the remaining fields.

    * Authentication token

    		 Paste the authentication tokenClosedUnique keys that enable users to automate actions within Fortify Software Security Center without using passwords. The user requests a token, authenticates to the Fortify Software Security Center server, and receives back a string that is permissioned for a small set of time-limited actions. Fortify Scan Analytics also generates authentication tokens that are required to configure a connection between Scan Analytics and Fortify Software Security Center. you obtained from Fortify Scan Analytics here. For instructions on how to get a token, select How do I get a token? or, see Getting a Fortify Scan Analytics Authentication Token.
    * Fortify Scan Analytics server URL Specify the URL for the Fortify Scan Analytics server.
    Use SSC proxy for Audit Assistant If you have configured a proxy for

    all Fortify Software Security Center integrations (see Configuring a Proxy for Fortify Software Security Center Integrations, you can select this check box to use that proxy for Audit Assistant.

  4. To test the connection to the Application Security Analytics server, click TEST CONNECTION.

    After the connection is successfully tested, you can go ahead and configure the settings in the Audit settings section.

  5. Click REFRESH POLICIES to populate the Default prediction policyClosedPrediction policies determine the confidence thresholds that Scan Analytics uses to determine which issues to treat as indeterminate - that is, neither a true issue nor a non-issue. To use Scan Analytics to process your scan results, you must first define one or more prediction policies. When you submit a new scan for prediction, each issue is assessed based on the prediction policy you have specified. list with the current server policies on the Fortify Scan Analytics server.

    Note: Audit Assistant prediction policies set for individual applicationClosedA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. versions can become invalid if available policies are changed on the Fortify Scan Analytics server. Fortify Software Security Center verifies new policies it receives from Fortify Scan Analytics every time a user clicks REFRESH POLICIES.) If Fortify Software Security Center detects one or more invalid policies, it displays a table that shows the mapping from the original policyClosedA collection of audit engines and attack agents that Fortify WebInspect and Fortify WebInspect Enterprise use when auditing or crawling a Web application. Each component has a specific task, such as testing for susceptibility to cross-site scripting, building the site tree, probing for known server vulnerabilities, etc. These components are organized into the following groups: Audit Engines, General Application Testing, General Text Searching, Third-Party Web Applications, Web Frameworks/Languages, Web Servers, Web Site Discovery, and Custom Checks to the changed policy. You can then identify each obsolete policy and map its valid replacement. Fortify Software Security Center updates the policies based on the changes you submit in the mapping table.

  6. From the Default prediction policy list, select the name of the prediction policy to apply to all application versions. (Policies are defined in Fortify Scan Analytics.)

  7. If you plan to specify prediction policies at the application versionClosedA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed. level and override the default global prediction policy, select Enable specific application version policies. Otherwise, Audit Assistant uses the default global prediction policy you specified in the previous step.

    Note: You can specify the policy for an application version from the APPLICATION PROFILE dialog box. For instructions, see Configuring Audit Assistant Options for an Application Version.

  8. To enable Audit Assistant to automatically send issues not yet assessed to Fortify Scan Analytics for assessmentClosedThe overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as scan), select the Enable auto-predict check box. (For information about the auto-predict feature, see About Audit Assistant Auto-Prediction.)

    Note: If you enable auto-predict here, open the APPLICATION PROFILE dialog box for each applicationn version for which you want to use auto-predictionClosedThe automatic prediction (or assessment) of unassessed issues by Audit Assistant (through Fortify Scan Analytics)., and enable it there as well.

  9. To enable the application of the analysis values that Audit Assistant assesses for issues to your Analysis custom tagClosedDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag. values system-wide, select the Enable auto-apply check box. After you do, you must enable this functionality on a per-application version project basis from the APPLICATION PROFILE window.

    Note: If you enable auto-apply here, open the APPLICATION PROFILE dialog box for each application version for which you want to use auto-apply, and enable it there as well.

    Important! Before you can use the auto-apply feature, you must first map Audit Assistant analysis tag values to Fortify Software Security Center Analysis tag values.

  10. If you selected the Enable auto-apply check box, and you want to map Audit Assistant analysis tag values to Fortify Software Security Center Analysis tag values now, click the here link to go to the Custom Tags page, and then follow the instructions provided in Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom Tag Values.
  11. Click SAVE.