Defining Prediction Policies

To use Fortify Audit Assistant, you must define at least one prediction policy that Fortify Audit Assistant can use to determine which issues to treat as exploitable, false positives, or indeterminate. For more information, see About Prediction Policies.

To define a prediction policy:

  1. Log in to Fortify Audit Assistant (https://analytics.fortify.com), or, if this is your first time setting up .

    2. Note: If you are using Fortify Audit Assistant On Premises, the URL you use to log in will be specific to your installation.
  2. On the right side of the display near the top, select Audit Assistant G2 from the selector button.
  3. On the OpenText header, select PREDICTION POLICIES.

    The Prediction Policies | Add page appears.

  4. Click the +ADD button.

  5. In the Details section:

    • Type a name for your prediction policy in the Name field.

    • (Optional) Type a description of the prediction policy in the Description field.

    • Select Fortify data from the Audit Assistant training data selector.

    In the right pane are two confidence threshold settings you use to configure which issues Audit Assistant treats as Exploitable or False Positive.

    Audit Assistant results include the following:

    • The AA_Prediction value groups issues based on Audit Assistant’s assessment of their exploitability. Possible values are Exploitable, Indeterminate (Below Exploitable threshold), Not an issue, Indeterminate (Below Not An Issue threshold and Not Predicted.

      Note: Audit Assistant only predicts on dataflow and control flow static analysis issues.

    • The AA_Confidence value (percentage value that ranges from 0.00 to 1.00) shows Audit Assistant's level of confidence in the AA_Prediction value. If the AA_Confidence value falls below either of the confidence thresholds you set here for the prediction policy, then Audit Assistant treats the issue as indeterminate and assigns it the AA_Prediction value Not Predicted.

  6. Set the Prediction Confidence Threshold sliders, Exploitable and False Positive, to acceptable levels for the applications running in your environment.

    Note: The higher you set the confidence threshold values, the number of issues identified as Exploitable or False Negative. Start by using the default confidence thresholds (80%) and adjusting them as needed to provide the most optimal outcomes for your environment.

  7. Click SAVE.

See Also

About Prediction Policies

Configuring Audit Assistant

Configuring Audit Assistant Options for an Application Version