Configuring Audit Assistant

Audit Assistant works with Fortify Scan Analytics to help determine whether or not the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities.

To configure Fortify Software Security Center to use Audit Assistant with your applications:

  1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify header, select ADMINISTRATION.

  2. In the left pane, select Configuration, and then select Audit Assistant.

  3. Configure the settings on the Audit Assistant page as described in the following table.

    Field* Required

    Description

    Enable Audit Assistant

    Select this check box to enable the remaining fields.

    * Authentication token

    		 Paste the authentication token you obtained from Fortify Scan Analytics here. For instructions on how to get a token, select How do I get a token? or, see Getting a Fortify Scan Analytics Authentication Token.
    * Fortify Scan Analytics server URL Specify the URL for the Fortify Scan Analytics server.
    Use SSC proxy for Audit Assistant If you have configured a proxy for

    all Fortify Software Security Center integrations (see Configuring a Proxy for Fortify Software Security Center Integrations, you can select this check box to use that proxy for Audit Assistant.

  4. To test the connection to the Application Security Analytics server, click TEST CONNECTION.

    After the connection is successfully tested, you can go ahead and configure the settings in the Audit settings section.

  5. Click REFRESH POLICIES to populate the Default prediction policy list with the current server policies on the Fortify Scan Analytics server.

    Note: Audit Assistant prediction policies set for individual application versions can become invalid if available policies are changed on the Fortify Scan Analytics server. Fortify Software Security Center verifies new policies it receives from Fortify Scan Analytics every time a user clicks REFRESH POLICIES.) If Fortify Software Security Center detects one or more invalid policies, it displays a table that shows the mapping from the original policy to the changed policy. You can then identify each obsolete policy and map its valid replacement. Fortify Software Security Center updates the policies based on the changes you submit in the mapping table.

  6. From the Default prediction policy list, select the name of the prediction policy to apply to all application versions. (Policies are defined in Fortify Scan Analytics.)

  7. If you plan to specify prediction policies at the application version level and override the default global prediction policy, select Enable specific application version policies. Otherwise, Audit Assistant uses the default global prediction policy you specified in the previous step.

    Note: You can specify the policy for an application version from the APPLICATION PROFILE dialog box. For instructions, see Configuring Audit Assistant Options for an Application Version.

  8. To enable Audit Assistant to automatically send issues not yet assessed to Fortify Scan Analytics for assessment, select the Enable auto-predict check box. (For information about the auto-predict feature, see About Audit Assistant Auto-Prediction.)

    Note: If you enable auto-predict here, open the APPLICATION PROFILE dialog box for each application version for which you want to use auto-prediction, and enable it there as well.

  9. To enable the application of the analysis values that Audit Assistant assesses for issues to your Analysis custom tag values system-wide, select the Enable auto-apply check box. After you do, you must enable this functionality on a per-application version project basis from the APPLICATION PROFILE window.

    Note: If you enable auto-apply here, open the APPLICATION PROFILE dialog box for each application version for which you want to use auto-apply, and enable it there as well.

    Important! Before you can use the auto-apply feature, you must first map Audit Assistant analysis tag values to Fortify Software Security Center Analysis tag values.

  10. If you selected the Enable auto-apply check box, and you want to map Audit Assistant analysis tag values to Fortify Software Security Center Analysis tag values now, click the here link to go to the Custom Tags page, and then follow the instructions provided in Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom Tag Values.
  11. Click SAVE.