Taking code security to the next level

OpenText has introduced the second generation of its advanced cybersecurity auditing technology debuting at the inaugural OpenText Security Summit 2024 on February 6. Today’s developers are dealing with more complexity and threats in multi-cloud environments. Security teams feel increasing pressure to tackle application security with more sophisticated tools and practices. Fortify Audit Assistant is OpenText’s solution for incorporating security at the very beginning of the software development lifecycle—at code inception—and building robust, secure, and reliable software systems.

Fortify Audit Assistant levels up the accuracy and performance, increasing developer efficiency by reducing noise and false positives. In doing so, security teams can focus on the vulnerabilities that matter most. Triaging and validating raw static analysis results is one of the most time-intensive, manual processes within application security testing. Companies can’t afford to hire a team of human examiner experts in software engineering, computer science, and software vulnerabilities. Fortify Audit Assistant was created to automate security and address these issues by utilising machine learning to learn from Fortify’s human auditors.

“The first generation of Fortify Audit Assistant was well ahead of its time with its use of predictive analytics and machine learning,” said Prentiss Donohue, Cybersecurity Executive Vice President. “Those pioneering efforts paved the way for us to derive 10 years of data from human experts and turn them into predictive models that are significantly more accurate compared to the previous generation’s models, improving efficiency in auditing by reducing false positives up to 90%. Enterprises can now leverage this depth of information—something no one else in the industry can provide—within their own software assurance programs.”

Major updates to the next generation of Fortify Audit Assistant include:

Account for model drift. The new Audit Assistant models take a proactive approach to the ever-changing threat environment by automating the processes that measure and report how models are doing and refresh them as necessary to address any model drift. Updated models will be delivered each quarter.

Flexibility to learn from a company’s unique environment. The next generation Audit Assistant addresses the unique data privacy needs of each company. In generation one, a single model was used for both SaaS and on-prem environments. The new Audit Assistant on-prem model pipeline was designed to learn the unique behaviours of a company’s projects. This learning gets better and better over time as more vulnerabilities are audited, the models continually learn what’s appropriate for a company’s project—all while remaining sensitive to its IP.

Expansive model expertise via language specification. No single model can effectively cover every programming language. To provide greater insight and expertise into vulnerabilities in both on-prem and cloud environments, the next generation of Fortify Audit Assistant now includes 30+ language-specific models. Having a single model for C++, another model for JavaScript, etc. greatly improves model performance by enabling a “team of experts” (AKA the models) to go narrower and deeper thus increasing the likelihood of finding the true vulnerabilities in software.

Additional data and context. Fortify Audit Assistant scans and identifies true positive or false positive amongst millions of lines of code. Sometimes a scan result is a vulnerability, but might not be exploitable because the code in question is test code, not code that is deployed. In this next generation, Fortify Audit Assistant considers the nuances of scan results. In doing so, speed and efficacy of audits are greatly improved.