Configuring Fortify Audit Assistant

Application Security can work with Fortify Audit Assistant to help determine whether or not the issues returned in Fortify Static Code Analyzer scan results represent true vulnerabilities.

To configure Application Security to use Fortify Audit Assistant with your applications:

1. Sign in as an Administrator
2. On the header, select Administration.

3. On the navigation pane, expand Configuration, and then select Audit Assistant.

4. Configure the settings on the Audit Assistant page as described in the following table.

   Field	Description
   Enable Audit Assistant check box	Select this check box to enable Fortify Audit Assistant.
   Authentication token	(Required) Paste the authentication token you obtained from Fortify Audit Assistant here. For instructions on how to get a token, select How do I get a token?.
   Fortify Audit Assistant server URL	(Required) Specify the URL for the Fortify Audit Assistant server.
   Use SSC proxy for Audit Assistant	(Optional) If you configured a proxy for all Application Security integrations (see Configuring a proxy for Application Security integrations, you can select this check box to use that proxy for Fortify Audit Assistant.

5. To test the connection to the Fortify Audit Assistant server, click TEST CONNECTION.

   After the connection is successfully tested, you can go ahead and configure the following settings in the Audit settings section.

6. Click REFRESH POLICIES to populate the Default prediction policy list with the current server policies on the Fortify Audit Assistant server.

   Fortify Audit Assistant prediction policies set for individual application versions can become invalid if available policies are changed on the Fortify Audit Assistant server. Application Security verifies new policies it receives from Fortify Audit Assistant every time a user clicks REFRESH POLICIES.) If Application Security detects one or more invalid policies, it displays a table that shows the mapping from the original policy to the changed policy. You can then identify each obsolete policy and map its valid replacement. Application Security updates the policies based on the changes you submit in the mapping table.

7. From the Default prediction policy list, select the name of the prediction policy to apply to all application versions. (Policies are defined in Fortify Audit Assistant.)

8. To specify prediction policies at the application version level and override the default global prediction policy, select Enable specific application version policies.

   Otherwise, Fortify Audit Assistant uses the default global prediction policy you specified in the previous step. To specify the policy for an application version, see Configuring Fortify Audit Assistant options for an application version.

9. To enable Application Security to automatically send issues not yet audited to Fortify Audit Assistant for assessment, select the Enable auto-predict check box.

   After you do, you must enable this functionality on a per-application version basis (see Configuring Fortify Audit Assistant options for an application version). For information about the auto-predict feature, see About Audit Assistant auto-prediction.

10. To enable the application of the analysis values that Fortify Audit Assistant assesses for issues to your Analysis custom tag values system-wide, select the Enable auto-apply check box.

    After you do, you must enable this functionality on a per-application version basis (see Configuring Fortify Audit Assistant options for an application version).

    Before you can use the auto-apply feature, you must first map Fortify Audit Assistant analysis tag values to Application Security Analysis tag values (see Mapping Fortify Audit Assistant analysis tag values to Application Security custom tag values).

11. Click SAVE.

See Also Updating the Fortify Audit Assistant configuration

Using Fortify Audit Assistant with Application Security

Fortify Audit Assistant workflow

Mapping Fortify Audit Assistant analysis tag values to Application Security custom tag values