I look forward to the other responses your question may bring!

For initial Issue Auditing, we would recommend enabling the Audit Assistant feature with your SSC Server.  This permits you to submit the metadata of your Issues to our Scan analytics portal for comparison and calculation.  the turn-around time is very fast, and this submission can also be set to an Automated Submission with each scan upload.  This feature will add several "AA_" tags to your Issues, such as AA_Prediction, which is the Audit Status the Scan analytics AI would have assigned to the Issue.  If you also enabled the Auto-Apply option, then the Audit Status would be set to that AA_Prediction value automatically after the AA review.  While this feature applies to only two (rather noisy) Analysis Engines out of the 7+ used by SCA, the Audit Assistant feature can help pre-Audit a good number of Issues for you.  Also, there are plans to revamp and improve the Audit Assistant this Fall/Winter ("Audit Assistant 2.0").

Refs:

• https://www.microfocus.com/en-us/cyberres/application-security/audit-assistant 
  • Notice several white papers towards the bottom...
  • https://www.microfocus.com/media/white-paper/leveling-up-fortifys-audit-assistant-ai-wp.pdf 
• https://www.youtube.com/watch?v=P9fJVdgrjWY&t=28s - "Reducing False Positives with Audit Assistant"

There are also several scan configuration and Filtering features you might utilize to minimize the number of Issues you are facing.

Refs:

• "Reducing the Noise with Fortify" - https://www.youtube.com/watch?v=6CjUVA3I_rk  (particularly after 3:30 minutes)

Don't neglect the basics!, such as:

- never neglecting the product documentation!

• https://www.microfocus.com/en-us/support/documentation (search for "fortify")
• And stay up-to-date

- leveraging the Scan Wizard where needed to minimize human error in configuring your SCA scans, or just reverse-engineering the output script to learn more.

- leveraging Audit Workbench (AWB) for review and mark-up.

• https://www.youtube.com/watch?v=HFKKSJfX85w - "Using results from Fortify Static Code Analyzer"
• https://www.youtube.com/watch?v=XbhSHXxdI-c - "Filtering Issues in Fortify Audit Workbench (AWB)"

I look forward to the other responses your question may bring!

For initial Issue Auditing, we would recommend enabling the Audit Assistant feature with your SSC Server.  This permits you to submit the metadata of your Issues to our Scan analytics portal for comparison and calculation.  the turn-around time is very fast, and this submission can also be set to an Automated Submission with each scan upload.  This feature will add several "AA_" tags to your Issues, such as AA_Prediction, which is the Audit Status the Scan analytics AI would have assigned to the Issue.  If you also enabled the Auto-Apply option, then the Audit Status would be set to that AA_Prediction value automatically after the AA review.  While this feature applies to only two (rather noisy) Analysis Engines out of the 7+ used by SCA, the Audit Assistant feature can help pre-Audit a good number of Issues for you.  Also, there are plans to revamp and improve the Audit Assistant this Fall/Winter ("Audit Assistant 2.0").

Refs:

• https://www.microfocus.com/en-us/cyberres/application-security/audit-assistant 
  • Notice several white papers towards the bottom...
  • https://www.microfocus.com/media/white-paper/leveling-up-fortifys-audit-assistant-ai-wp.pdf 
• https://www.youtube.com/watch?v=P9fJVdgrjWY&t=28s - "Reducing False Positives with Audit Assistant"

There are also several scan configuration and Filtering features you might utilize to minimize the number of Issues you are facing.

Refs:

• "Reducing the Noise with Fortify" - https://www.youtube.com/watch?v=6CjUVA3I_rk  (particularly after 3:30 minutes)

Don't neglect the basics!, such as:

- never neglecting the product documentation!

• https://www.microfocus.com/en-us/support/documentation (search for "fortify")
• And stay up-to-date

- leveraging the Scan Wizard where needed to minimize human error in configuring your SCA scans, or just reverse-engineering the output script to learn more.

- leveraging Audit Workbench (AWB) for review and mark-up.

• https://www.youtube.com/watch?v=HFKKSJfX85w - "Using results from Fortify Static Code Analyzer"
• https://www.youtube.com/watch?v=XbhSHXxdI-c - "Filtering Issues in Fortify Audit Workbench (AWB)"

very interesting - I didnt know about this. I know we have NEVER turned on AA - which is bordering on insane IMHO. To be fair we have a single SSC with a 12TB Database ... so even turning the SSC on is a challenge!

In our company we publish Corporate Standards. The tools is tailored to highlight issues according to our standard (but we really should use CWE).

We have a validation team to sample projects. BUT it is the team's responsibility to comply - and they are generally pretty good at this.