White Paper Increase Efficiency with Automated Auditing of Static Scans with Fortify How auditing automation utilizing machine learning will save your organization time and money with an average of 97% accuracy Table of Contents Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Unlocking the Power of Predictive Machine Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Value of Automating Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Increase Efficiency with Automated Auditing of Static Scans with Fortify Executive Summary Static Application Security Testing (SAST) tools uncover potential weaknesses in applications by scanning source, byte, and binary code. As of December of 2020, Fortify Secure Coding Rulepacks detected an industry-leading 817 unique categories of vulnerabilities across 27 programming languages spanning over one million individual APIs. This thorough level of coverage is crucial to assess the true risk applications pose to the organization; however, raw findings are not actionable because they lack valuable contextual information. A human auditor must review raw findings to determine exploitability by considering environmental, mitigation, and business logic, specific to each application. Time spent auditing raw findings has accounted for the bulk of security and development teams’ non-value-added time for the nearly two decades that SAST has been available. With automated auditing technology from Micro Focus Fortify, the time spent on the auditing process is drastically reduced. Fortify Audit Assistant predicts the exploitability of raw findings with 97% average accuracy. Fortify Audit Assistant predicts the exploitability of raw findings with 97% average accuracy. Fortify customers using Audit Assistant have seen benefits such as a 58% reduction in manual audit times in its first year of limited adoption with internal teams. Automating audits of static application security findings proved its value with verifiable savings of time and effort. Audit Assistant amplifies the SAST return on investment in three major ways: Reducing the number of issues needing deep manual examination Identifying relevant issues and removing false positives sooner Scaling application security with existing resources Benefits for Security Teams By reducing the number of issues needing manual examination, auditors can focus their time on deeper dives with fewer findings, utilizing their skillset more effectively. The organization may retain top security talent more easily with interesting investigations and manageable vulnerability counts. Security teams can audit more applications with the same resources, leveraging machine learning to automatically remove uninteresting findings and validate high-confidence findings. Benefits for Development Teams The organization may incentivize top talent more easily when remediation efforts become frictionless. Development teams can efficiently focus only on mitigating the most relevant issues, start fixing high-confidence issues immediately after a static security scan is complete, and dramatically reduce the wait time introduced by human auditing of scan results. The organization may attract top development talent more easily when security is a seamless part of the culture rather than a nuisance or gatekeeper. 1 Increase Efficiency with Automated Auditing of Static Scans with Fortify Introduction Software vulnerabilities are a serious problem that the software development process is often not controlled to minimize. SAST enables organizations to identify, monitor, and reduce the business risk from an application’s source code. It has been widely recognized as a necessary component of securing the digital enterprise for nearly two decades. SAST tools report