Triage and analysis

Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

When you scan code, the scan results or findings appear. Triage is the process of evaluating the findings and determining how to resolve them. However, the steps required to reach this goal depend on multiple factors, including the total number of findings, specific security concerns, application risk assessment, and so forth. In addition to deciding whether a finding represents a valid security issue, triage also involves modifying attributes of findings (severity, type, classification) when appropriate.

A triage strategy is important to ensure that you accomplish your goals in the order and time period that you want. Triage is best accomplished in an iterative fashion where you evaluate a subset of findings and determine the disposition of each subset in each iteration. There are many valid approaches for deciding how to define the triage iterations. One approach is to create subsets of the high risk findings based on overall severity. You could start to resolve findings that potentially present the most risk and move to those that present the least likely risk. Another approach is to define subsets by security concern, such as SQL Injection or Validation Required.

Typically, a security analyst or IT auditor performs triage. The analyst or auditor may submit the findings that require code changes to a defect tracking system, and then to developers for remediation. In other instances, developers may triage and resolve issues.

During the triage phase, you can:

  • Review findings of particularly interesting vulnerability types
  • View APIs in a particular category
  • Compare findings in different assessments
  • Filter or exclude specific findings
  • Change the severity or vulnerability type of a finding
  • Promote suspect and scan coverage findings to definitive
  • Annotate findings
  • Submit defects to defect tracking systems or email findings to others.

AppScan Source provides all of the necessary tools to analyze results using a variety of triage strategies. Filtering provides a means to view only the findings to be processed within a specific triage iteration. If your iterative strategy is by severity and classification, you can filter the findings from the Vulnerability Matrix view. If your iterative strategy is by Vulnerability Type, you can filter from the Assessment Summary view. AppScan Source for Analysis also provides a filter editor to support complex iterative approaches.

Once you select your triage approach, AppScan Source for Analysis supports the disposition of findings.

  • Exclude individual or collections of findings
  • Modify the finding details (type, severity, classification)
  • Create bundles (a grouping mechanism for findings)
  • Compare assessments with the Assessment Diff view