Custom Tags
To audit
The process of assessing an application or program for security vulnerabilities. code in Fortify Software Security Center, the security team examines analysis resultsThe information reported by Fortify Software Security Center. Analysis results are viewed, uploaded, and managed from the Analysis Results tab of the Artifacts page. (FPR) and assigns values to “tags” that are associated with applicationA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. issues. The development team can then use these tag values to determine which issues to address and in what order.
Fortify Software Security Center provides a single default tag named “Analysis” to enable application auditing out of the box. Valid values for the Analysis tag are Exploitable, Not an Issue, Suspicious, Reliability Issue, and Bad Practice. You can modify the Analysis tag attributes, revise the tag values, or add new tag values based on your auditing needs.
To refine your auditing process, you can define your own custom tagsDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag.. Like the Analysis tag, your custom tag definitions are stored in an issue templateA template that determines how Fortify Software products prioritize issues. Prioritizing issues of a category or type helps guide the security team's audit and remediation activities. Fortify Software Security Center provides some standard templates. Users can employ them as is, modify them, and/or create additional templates. that you can associate with a Fortify Software Security Center application versionA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed.. For example, you could create a custom tag used track the sign-off process for an issue. After a developer audits his own issues, a security expert can review those same issues and mark each as “approved” or “not approved.”
Note: Fortify Audit WorkbenchA graphical user interface for Fortify Static Code Analyzer. Use Audit Workbench to scan software applications and to organize, investigate, and prioritize analysis results. Audit Workbench can also open results from Fortify Software Security Center through a collaborative audit. users can add custom tags to their projects as they audit them. However, if these custom tags are not defined in Fortify Software Security Center for the issue template associated with the corresponding application version, then the new custom tags are lost after the Audit Workbench user uploads an FPR file to Fortify Software Security Center.
Topics covered in this section: