Micro Focus addresses this issue through the Fortify scan analytics platform. For the past three years, we have been employing machine learning techniques in the security audit process. This initially started with the Fortify on Demand SaaS platform, and has now been integrated into the on-premises versions as well.
Fortify Audit Assistant identifies relevant exploitable vulnerabilities specific to any organization, via new static scan results. It does this by employing scan analytics machine-learning classifiers that are trained using anonymous metadata from scan results (which previously had to be audited by software security experts). The scan analytics platform delivers this capability as a web service in the cloud, enriching SCA scan results with audit predictions with up to 98 percent accuracy.
Fortify Audit Assistant enables machine learning-assisted auditing and leverages the security expertise of the entire Fortify security community, without transmitting any sensitive information. Audit Assistant transmits anonymized metadata derived from the scan results (called anonymous issue metrics). Issues indicated by the proven Fortify Static Code Analyzer are parsed by Fortify Audit Assistant into non-sensitive attributes. These attributes include vulnerability category, severity, and measures of code and software security vulnerability complexity—such as the number of inputs, branches, method output types, programming language, file extension, and the analyzer that found the issue. In the case of training data, the auditor’s previous determination is also included. The anonymized issue metrics are sent to Fortify scan analytics to train and apply machine-learning classifiers, which identify issues with up to 98 percent accuracy.
Figure: Fortify Audit Assistant
After processing a new static scan result, Fortify Audit Assistant adds its prediction and prediction confidence to the scan results. Based on an organization’s risk tolerance and preconfigured confidence thresholds, the issues will then be categorized as Exploitable, Indeterminate, or Not an Issue.
Fortify Audit Assistant dramatically reduces the human time and effort involved in identifying non-issues. For example, those that aren’t exploitable due to mitigations already in place, those that are in code that isn’t reachable by design, those that are accepted as part of the organization’s risk profile, and those that are false positives.
Fortify Audit Assistant can achieve:
- Non-issue reduction of 25%-90%
- Accuracy of 80%-98%
- A false negative rate less than 1%
- Up to 58% reduction in manual audit times
This approach and the results achievable do not fully remove the need for human experience. There will always be areas where human context, skill, and experience will be required to ensure that audits are as accurate and valuable as possible. However, by applying the machine learning techniques, there is a dramatic reduction in the amount of human time and effort required, enabling security teams to focus their efforts on a much smaller number of issues and keep pace with development cycles.