confirming false positives

Hello, Im using Fortify SCA, new to the community. I would like to get the community's thoughts on best practices for confirming that SAST scan findings are false positives. I know its a team effort, and there is trust involved between the sec team and dev team. But what resources are recommended when neither team know how to fix a finding, multiple solutions are thrown in the code to mitigate but the finding still shows up and suspected to be false positive? What can we do besides say "its probably a false positive" and move on? 

I found OWASP cheatsheets that show what a specific vulnerability might look like in code, it wasnt quite specific enough to help in my current needs, but its the closest ive gotten. 

Can the community chime in with some best practices or how to progress in this arena or other related advice?

Ideally im looking for a resource/cheatsheet that I can match up a CWE to a method that fixes it, but im sure thats over simplified. 

Any help is much appreciated. 

Thanks all.

Parents Reply Children
  • very interesting - I didnt know about this. I know we have NEVER turned on AA - which is bordering on insane IMHO. To be fair we have a single SSC with a 12TB Database ... so even turning the SSC on is a challenge!

    In our company we publish Corporate Standards. The tools is tailored to highlight issues according to our standard (but we really should use CWE).

    We have a validation team to sample projects. BUT it is the team's responsibility to comply - and they are generally pretty good at this.