Differences between static analysis findings and dynamic analysis issues

Understand the differences between findings and issues so that reports make sense.

Understanding how dynamic analysis issues are displayed in reports

Reports for dynamic security issues contain logical issues. For each logical issue there might be one or more variants (variations, or slightly different ways) in which that issue was identified.

For example, for a particular HTTP request, several mutations are performed on that request and sent back to the web server. Many of these tests are identical except for the payload that is sent. In some cases it may be a single quote; in other cases, a bracket, etc. If these tests are positive, they most likely have the same root cause and are grouped together under one issue.

This reduces the triage effort required after the scan has completed. Many issues have 10 or more variants associated with them, so it reduces the amount of items in the report for the user to consume. It also makes sense during remediation when a developer is assigned an issue -- they can see several examples of how this vulnerability was detected, all together in one place.

Understanding how static analysis findings are displayed in reports

In AppScan® Source, findings are given a Severity and Classification. Classification is essentially the 'confidence' in a particular finding. The approach for importing and organizing AppScan Source static analysis findings is applied in much the same way as it is for dynamic analysis issues. In many cases, more than one finding applies to the same logical issue; the same root cause and fix will be applied.

These findings are grouped together in reports, treating each AppScan Source finding as a variant, or variation, of the same logical issue. During processing, one finding will produce one variant, except in rare cases where there might be an exact duplicate, in which case the duplicate is discarded. Statistics are presented during import to illustrate the breakdown of how findings are being processed and mapped to issues. This not only organizes related findings together, but reduces the overall effort in triaging these issues.

In AppScan Enterprise Server, issues are managed rather than individual findings, with the assumption that if an issue is a 'false positive', then all variations of that issue are also a false positive, and that if an issue is 'fixed', then all variations of that issue are also fixed.