Using Audit Assistant

The following sections provide information about Audit AssistantAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives. workflow, prediction policies and how to use them, how to enable metadata sharing, how to submit data to Audit Assistant, and how to review Audit Assistant results.

Audit Assistant Workflow

The workflow for using Audit Assistant is as follows:

1. Obtain a Fortify Scan AnalyticsAn application that helps you to determine which of the issues returned in Fortify Static Code Analyzer scan results represent true vulnerabilities, and which do not. To make its determinations, Scan Analytics needs data to establish a baseline for its audits. This data consists of the decisions users have made during scan audits about how to characterize various issues uncovered in code scans. account, as follows:

   1. Go to https://analytics.fortify.com.

      

   2. Click Need an Account?

   3. Complete the fields on the Request a Fortify Scan Analytics Tenant form, and then click Request Now.

   Fortify sends an email with information about how to connect to Fortify Scan Analytics.

2. From Fortify Scan Analytics, create one or more policies.
3. (Optional) Choose to share anonymous metadata.
4. Obtain a Fortify Scan Analytics token.

5. From Fortify Software Security Center:

   • Configure and test the connection to Fortify Scan Analytics and then, on the Audit Assistant Configuration page, click REFRESH POLICIES to populate the Default prediction policyPrediction policies determine the confidence thresholds that Scan Analytics uses to determine which issues to treat as indeterminate - that is, neither a true issue nor a non-issue. To use Scan Analytics to process your scan results, you must first define one or more prediction policies. When you submit a new scan for prediction, each issue is assessed based on the prediction policy you have specified. list (see Configuring Audit Assistant).
   • Specify a default prediction policyA collection of audit engines and attack agents that Fortify WebInspect and Fortify WebInspect Enterprise use when auditing or crawling a Web application. Each component has a specific task, such as testing for susceptibility to cross-site scripting, building the site tree, probing for known server vulnerabilities, etc. These components are organized into the following groups: Audit Engines, General Application Testing, General Text Searching, Third-Party Web Applications, Web Frameworks/Languages, Web Servers, Web Site Discovery, and Custom Checks.
   • (Optional) Enable Audit Assistant to automatically send unaudited issues to Fortify Scan Analytics for prediction.
   • (Optional) Enable Audit Assistant to automatically apply predicted values to custom tagsDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag..
6. From Fortify Software Security Center, open an application versionA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed., and submit the latest completely audited scan to Audit Assistant. This step is referred to as training.
7. From Fortify Software Security Center, open an applicationA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. version and submit its Fortify Static Code Analyzer scan results to Audit Assistant.
8. After Audit Assistant completes its assessmentThe overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as scan), view those results and, if necessary, adjust them.
9. Submit corrected results to Audit Assistant.

The following sections describe how to obtain an authentication tokenUnique keys that enable users to automate actions within Fortify Software Security Center without using passwords. The user requests a token, authenticates to the Fortify Software Security Center server, and receives back a string that is permissioned for a small set of time-limited actions. Fortify Scan Analytics also generates authentication tokens that are required to configure a connection between Scan Analytics and Fortify Software Security Center. from Fortify Scan Analytics, and then use that token to configure a connection to Fortify Scan Analytics. Later sections describe how to prepare Scan Analytics for metadata submission, submit data, review Audit Assistant results, and then submit corrected auditThe process of assessing an application or program for security vulnerabilities. data.

See Also

Configuring Audit Assistant

About Prediction Policies

Defining Prediction Policies

Enabling Metadata Sharing

Enabling Auto-Apply and Auto-Predict for an Application Version

Submitting Training Data to Audit Assistant

Reviewing Audit Assistant Results