Defining Prediction Policies

To use Audit AssistantAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives., you must define at least one prediction policyPrediction policies determine the confidence thresholds that Scan Analytics uses to determine which issues to treat as indeterminate - that is, neither a true issue nor a non-issue. To use Scan Analytics to process your scan results, you must first define one or more prediction policies. When you submit a new scan for prediction, each issue is assessed based on the prediction policy you have specified. that Audit Assistant can use to determine which issues to treat as indeterminate (neither a true issue nor a non-issue). For more information, see About Prediction Policies.

To define a prediction policyA collection of audit engines and attack agents that Fortify WebInspect and Fortify WebInspect Enterprise use when auditing or crawling a Web application. Each component has a specific task, such as testing for susceptibility to cross-site scripting, building the site tree, probing for known server vulnerabilities, etc. These components are organized into the following groups: Audit Engines, General Application Testing, General Text Searching, Third-Party Web Applications, Web Frameworks/Languages, Web Servers, Web Site Discovery, and Custom Checks:

1. Log in to Fortify Scan AnalyticsAn application that helps you to determine which of the issues returned in Fortify Static Code Analyzer scan results represent true vulnerabilities, and which do not. To make its determinations, Scan Analytics needs data to establish a baseline for its audits. This data consists of the decisions users have made during scan audits about how to characterize various issues uncovered in code scans. (https://analytics.fortify.com).

2. On the Fortify header, select PREDICTION POLICIES.

3. On the Prediction Policies page, click +ADD.

   The Prediction Policies > Add page opens.

4. In the Policy Name box, type a name for the policy.

   The Prediction Policies | Add page contains two confidenceThe degree of certainty that rules and Fortify Static Code Analyzer's capabilities can find an issue’s true vulnerability. threshold settings. You use these to configure which issues Audit Assistant is to treat as indeterminate - that is, neither a true issue nor a non-issue.

   Audit Assistant results include the following:

   • The AA_Prediction value groups issues based on Audit Assistant’s assessmentThe overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as scan) of their exploitability. Possible values are Exploitable, Below Threshold – Exploitable, Not an issue, Below Threshold – Not an issue and Not Predicted.

     Note: Audit Assistant only predicts on dataflow and control flow static analysis issues.

   • The AA_Confidence value (percentage value that ranges from 0.00 to 1.00) shows Audit Assistant's level of confidence in the AA_Prediction value.

   If the AA_Confidence value falls below either of the confidence thresholds you set here for the prediction policy, then Audit Assistant treats the issue as indeterminate, and assigns it the AA_Prediction value Not Predicted.

5. Set the Confidence Threshold - Not an Issue and the Confidence Threshold - Exploitable sliders to acceptable levels for the applications on Fortify Software Security Center.

   Note: The higher you set the threshold values, the less likely it is that the Audit Assistant results contain false negatives. (Tests using the default 80% threshold values result in false negative occurrence of less than one percent.)

6. (Optional) In the Description box, type a policy description.
7. Click SAVE.

See Also

About Prediction Policies

Configuring Audit Assistant

Configuring Audit Assistant Options for an Application Version