Community in read only mode June 18 & 19
This community will be set in READ ONLY mode for a while on Tuesday June 18 into Wednesday June 19 while we import content and users from our Micro Focus Forums community site. MORE INFORMATION
Highlighted
Utpal Mondal
New Member.
3430 views

how to reduce WebApp false positive analysis effort

Hi All, As our team is spending too much time on validating the WebApp findings by WebInspect, whethere those are false positve or not, is there any idea of automation for reducing WebApp false positive analysis effort? I am looking forward to it.

 

Utpal Mondal

Labels (2)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: how to reduce WebApp false positive analysis effort

True False Positives in WebInspect have been rare for quite some time.  The place I see them most now is when the site provides a 200OK or other StatusCode rather than a standard 404 when a page does not exist.  The Symptom with such a "friendly site" is to have many Low (blue) findings on the Site Tree, and that the pages listed on the Site Tree include ancient and rarely seen items such as nc.exe or robots.txt.  The HTTP Response for these pages/sessions will show the problem as you read and click through them for comparison.  The "Fix" for this scenario is to add a Custom File Not Found signature to the File Not Found scan settings panel.  This should match unique text of the friendly error HTTP Response's raw text.  On subsequent scans, WebInspect will toss out those HTTP Responses that match that as being 404 equivalents, making the scan's crawl more efficient ("less sessions to be audited") and thereby limiting those types of FP.

 

If you have legitimate items you have been marking as FP, you can save time by carrying those over to WebInspect in subsequent scans.  This is done during the scan wizard as Import False Positives, or after the scan completes by importing FP in the False Positives UI pane (just under the Dashboard and Traffic Monitor UI links).  Either method permits you to reference a prior scan where you had marked FP, and then those items will be filtered from the current scan's results.  I believe it permits the import of more than one prior scan's FPs.

Moreover, please submit these FP to Fortify support (support.fortify.com) so we can have our research team review them.  If there is a defect in one or more of our checks, they would be the ones capable of adjusting and correcting it, and the updated check would benefit all users later via SmartUpdate.

 

If there are select checks that you wish to discredit entirely, you might consider creating a customized copy of your desired scan Policy with those check(s) disabled.  To set this, you would open the Policy Manager > File menu > New (selected Policy) > Search view > "check#" + "is" + "{offending check's ID#}" > disable its checkbox, then save and use that scan Policy in subsequent scans.  This method is a little crude, as it assumes you never want to see that finding again for those scans, and have assumed that all instances of it may be FP.  Again, this is another case where our research team would benefit from your scan data and feedback.

 

Fortify's SSC Server collects both SAST and DAST scan results from Fortify SCA and HPE WebInspect, and it offers a free, automated Audit Assistant feature to save on the manual, human review of Issues.  This feature submits the Issue details to our Scan Analytics machine-learning system (cloud tenant) and then auto-assigns the appropriate Analysis tag for all of those submitted Issues, with a very high Confidence level.  Unfortunately, this is a relatively new feature and I am not sure if it covers DAST findings at all.  It may only be useful for SAST code scan results at this time.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.