6 min read time

Beyond the Noise: Elevating SAST with Fortify's Precision and Innovation

by in Cybersecurity

When approaching the domain of application security, particularly through the lens of Static Application Security Testing (SAST), one critical concern that frequently arises pertains to the initial analysis phase with tools like Fortify SAST. The prospect of uncovering a daunting array of findings at the outset can be overwhelming for developers, creating a perception of added complexity and friction within the development process. This concern often nudges developers towards opting for lightweight SAST tools that promise AppSec compliance without necessarily delivering the depth of analysis characteristic of Fortify. This blog post aims to address these concerns by highlighting the nuanced advantages of Fortify SAST, emphasizing its unparalleled research foundation, comprehensive updates, and superior scanning capabilities while offering solutions to mitigate the impact of scan results on developer workflows.

Unmatched Software Security Research

Fortify SAST distinguishes itself from less robust SAST scanners through its exceptional research foundation. Our dedicated research team, Fortify Research, is committed to delivering quarterly Rulepack updates, enabling Fortify SAST to support an extensive range of programming languages and frameworks. Fortify SAST excels in identifying a remarkable spectrum of 815 unique vulnerability categories and covers over one million individual APIs. This level of comprehensive analysis significantly surpasses the capabilities of more basic SAST tools, providing a more thorough assessment of potential vulnerabilities.

Our approach goes beyond merely supplying tools; we strive to ensure our customers do not fall into the trap of a false sense of security. A prime example of our commitment to accuracy is Fortify SAST's achievement of a 100% true positive rate in the OWASP 1.2b Benchmark, illustrating our tool's precision in identifying genuine security threats.

Addressing the Challenge of Scan Result "Noise"

A critique associated with Fortify SAST revolves around the potential for scan results to produce an excessive amount of "noise." This noise, can result from either a high number of false positives or a high volume of true positives and can add friction to development processes (this site can provide more  background on false positives, false negative, true positives, etc).

To tackle the issue of false positives, it's essential to recognize that all SAST tools balance the trade-off between false positives and false negatives. While minimizing false positives is critical, it's equally important to prevent false negatives, which could mask significant security risks in the application. Unlike lightweight SAST tools, which might not delve deeply enough to uncover complex vulnerabilities, Fortify’s SAST provides a thorough analysis. It offers advanced filtering options, such as visibility and issue filters for on-premises deployments, to manage false negatives effectively.

Auditors play a pivotal role in filtering out significant findings from scan results, eliminating the noise. Traditional auditing methods, however, can become a bottleneck in application security, often failing to align with the swift pace required by developers. This mismatch can lead to frustration with comprehensive SAST scanners like Fortify’s.

In response, Fortify has developed cutting-edge machine learning algorithms in collaboration with data scientists from our Security Analytics team. These algorithms in Audit Assistant 2.0, trained by hundreds of millions of anonymized audit decisions from Fortify on Demand (FoD) historic, anonymized SAST scans. These innovations significantly reduce the time required for triage, offering actionable insights for swift issue resolution. While these capabilities are built into FoD and they are available to on-premises deployments where you have the option to train the algorithms on your own scan data.

Navigating the Landscape of True Positives

Addressing the influx of true positive findings presents its own set of challenges for developers and AppSec teams, each facing distinct pressures. Developers typically focus on rectifying critical vulnerabilities in compliance with policy guidelines, often sidelining moderate or low-severity issues. This selective approach leads to a growing backlog of lesser concerns, which, while not immediate threats, contribute to a broader "security technical debt." Conversely, AppSec teams are tasked with prioritizing high-risk vulnerabilities amidst an expanding list of lesser threats, inadvertently expanding the application's attack surface as these vulnerabilities remain unaddressed.

The Fortify SAST innovations for managing a high volume of true positive findings from scans are crucial for maintaining efficient workflows and ensuring that application security doesn’t become a bottleneck in the development process. Let’s delve deeper into these solutions, emphasizing their functionalities and benefits.

Tailoring Scan Depth with Speed Dial

Speed Dial is a feature that empowers developers to adjust the depth of static testing according to the application's specific requirements. This functionality acknowledges that not all development phases or applications necessitate the same level of scrutiny. By offering developers the ability to modulate scan depth, Speed Dial enables a more dynamic approach to application security.

For instance, during early development stages or for less critical applications, developers might opt for a less in-depth scan, which can speed up the scan process by as much as 50%. This flexibility ensures that deeper, more comprehensive scans are reserved for critical development milestones, such as release candidates or high-risk applications, thereby optimizing the balance between scan thoroughness and development agility. This approach not only enhances efficiency but also significantly reduces the volume of findings, allowing teams to concentrate on the most pertinent issues. Here’s a video showing this feature.

Streamlining Triage with Smart View

Smart View, available in the Audit Workbench, provides a sophisticated visual representation of dataflow issues within the application's code.

This feature dramatically simplifies the process of identifying and understanding the paths through which vulnerabilities can be exploited. By presenting a clear, intuitive map of how data moves through the system and where potential security breaches could occur, Smart View enables developers and security analysts to swiftly pinpoint critical vulnerabilities and strategize optimal remediation or triage approaches. This capability is particularly valuable when dealing with a large number of true positive findings, as it helps prioritize issues based on their potential impact, ensuring that the most critical vulnerabilities are addressed promptly. The visual context provided by Smart View facilitates more informed decision-making, streamlining the triage process and reducing the time required to secure the application. Check out this video for a demonstration of SmartView.

Automating Remediation with Mobb Integration

Fortify’s partnership with Mobb introduces an innovative, automated approach to resolving common vulnerabilities. Mobb's technology, seamlessly integrated with Fortify SAST, leverages automation to simplify the remediation process, allowing developers to tackle multiple issues simultaneously with strategic code changes.

One of the standout features of this collaboration is Mobb's 'PowerUp' functionality, which guides developers through the process of applying effective, efficient fixes to identified vulnerabilities. This not only accelerates the remediation process but also enhances the quality of the fixes, ensuring that vulnerabilities are not only patched but done so in a way that fortifies the application against similar issues in the future. The Mobb integration represents a significant step forward in making vulnerability management more proactive and less disruptive to development workflows, empowering developers to maintain high security standards without compromising on productivity. Discover more in our demonstration video.

Summary

The apprehension among developers regarding the potential disruptiveness of SAST triage and negative perceptions surrounding SAST tools, often stem from past experiences or hearsay. This underscores the importance of addressing these concerns directly and effectively. Through this blog post, I aim to dispel such misconceptions by showcasing Fortify SAST's robust research foundation, its advanced capabilities, and the innovative solutions we've developed to streamline both the development process and the application security workflow. Our commitment is to empower developers to navigate the complexities of application security with confidence and ease, ensuring they are fully aware of the benefits that Fortify SAST offers without compromise.

To specifically address the challenges posed by a high volume of true positive findings that can occur, Fortify SAST has introduced cutting-edge solutions—Speed Dial, Smart View, and our integration with Mobb. By providing these advanced, user-friendly tools, we emphasize our dedication not just to delivering high quality security analysis but also to enhancing the practicality and effectiveness of our solutions in the real-world development environments. Together, these innovations enable developers and AppSec teams to maintain efficient workflows while upholding the highest security standards, reflecting our ongoing efforts to support developers in securing their applications more effectively and with less friction.

Labels:

Application security