Defining Prediction Policies

To use Audit Assistant, you must define at least one prediction policy that Audit Assistant can use to determine which issues to treat as indeterminate (neither a true issue nor a non-issue). For more information, see About Prediction Policies.

To define a prediction policy:

  1. Log in to Fortify Scan Analytics (https://analytics.fortify.com).

  2. On the Fortify header, select PREDICTION POLICIES.

  3. On the Prediction Policies page, click +ADD.

  4. In the Policy Name box on the Prediction Policies > Add page, type a name for the policy.

    The Prediction Policies | Add page contains two confidence threshold settings. You use these to configure which issues Audit Assistant is to treat as indeterminate - that is, neither a true issue nor a non-issue.

    Audit Assistant results include the following:

    • The AA_Prediction value groups issues based on Audit Assistant’s assessment of their exploitability. Possible values are Exploitable, Below Threshold – Exploitable, Not an issue, Below Threshold – Not an issue and Not Predicted.

      Note: Audit Assistant only predicts on dataflow and control flow static analysis issues.

    • The AA_Confidence value (percentage value that ranges from 0.00 to 1.00) shows Audit Assistant's level of confidence in the AA_Prediction value.

    If the AA_Confidence value falls below either of the confidence thresholds you set here for the prediction policy, then Audit Assistant treats the issue as indeterminate, and assigns it the AA_Prediction value Not Predicted.

  5. Set the Confidence Threshold - Not an Issue and the Confidence Threshold - Exploitable sliders to acceptable levels for the applications on Fortify Software Security Center.

    Note: The higher you set the threshold values, the less likely it is that the Audit Assistant results contain false negatives. (Tests using the default 80% threshold values result in false negative occurrence of less than one percent.)

  6. (Optional) In the Description box, type a policy description.
  7. Click SAVE.

See Also

About Prediction Policies

Configuring Audit Assistant

Configuring Audit Assistant Options for an Application Version