Hello, Im using Fortify SCA, new to the community. I would like to get the community's thoughts on best practices for confirming that SAST scan findings are false positives. I know its a team effort, and there is trust involved between the sec team and dev team. But what resources are recommended when neither team know how to fix a finding, multiple solutions are thrown in the code to mitigate but the finding still shows up and suspected to be false positive? What can we do besides say "its probably a false positive" and move on?
I found OWASP cheatsheets that show what a specific vulnerability might look like in code, it wasnt quite specific enough to help in my current needs, but its the closest ive gotten.
Can the community chime in with some best practices or how to progress in this arena or other related advice?
Ideally im looking for a resource/cheatsheet that I can match up a CWE to a method that fixes it, but im sure thats over simplified.
Any help is much appreciated.