In AppSec, security scan noise is an issue that slows down fast software development. Noise is all output that is considered irrelevant or not worth acting upon by users. If there is too much noise, this can have detrimental effects on the success of implementation:
- For security auditors, they can be swamped auditing results
- If this noise ends up with developers’ directly, they may lose confidence in the tool
There are a subset of scan findings where the Fortify static scan tool worked as intended; however, the issue is considered irrelevant due to the context, risk appetite, etc. This explainer video walks through several tools within Fortify that help reduce the noise!