As of October of 2018, Fortify Secure Coding Rulepacks detected an industry-leading 788 unique categories of vulnerabilities across 25 programming languages spanning over 1,007,000 individual APIs. Just take a minute and let that sink in. 788 unique categories!
This thorough level of coverage in Static Application Security Testing (SAST) is crucial to assess the true risk applications pose to the organization. The real issue however is that the raw findings of the SAST tool are not actionable because they lack valuable contextual information. To address this, a human auditor must review the raw findings to determine the exploitability. This takes time. Lots of time. Some Fortify customers have said that 50% of their application security testing is spent in auditing. Even worse, when an auditor determines a potential software security vulnerability is “Not an issue”, the time spent on verification is non-value-added time, coming to a significant cost to the organization.
If a potential security vulnerability is marked an “Issue”, it must be remediated through changes to the code base or mitigated via alternate controls. The problem with this is waiting for the human audit meant these issues were found days, sometimes weeks, after the static scan was done, causing friction for developers when they have to switch gears to mitigate the issue.
Manual auditing has been a significant bottleneck for mitigation efforts until Fortify introduced the first-to-market machine-learning Audit Assistant. With automated auditing technology from Micro Focus Fortify, the time spent on the auditing process is drastically reduced. Fortify Audit Assistant predicts the exploitability of raw findings with 97% average accuracy. Fortify customers using Audit Assistant have seen benefits such as a 58% reduction in manual audit times in its first year of limited adoption with internal teams.
Learn more about Fortify Audit Assistant in this brand new whitepaper, Increase Efficiency with Automated Auditing of Static Scans with Fortify or the Fortify Unplugged video Reduce false positives with Fortify Audit Assistant!