Abstract: A technique includes receiving data representing an output of a security scan of an application and an audit of the security scan by a human auditor. The output represents a security issue with the application, which is identified by the security scan, and the audit represents an analysis of the security issue by the human auditor. The technique includes training a security scan classifier to learn a classification preference of the human auditor. Training the security scan classifier includes, processing the data in a processor-based machine to, based at least in part on the output of the security scan and the analysis of the security scan by the human auditor, learn the classification preference of the human auditor to the issue to build a classification model for the issue.

Abstract: A technique includes receiving data representing an output of a security scan of an application and an audit of the security scan by a human auditor. The output represents a security issue with the application, which is identified by the security scan, and the audit represents an analysis of the security issue by the human auditor. The technique includes training a security scan classifier to learn a classification preference of the human auditor. Training the security scan classifier includes, processing the data in a processor-based machine to, based at least in part on the output of the security scan and the analysis of the security scan by the human auditor, learn the classification preference of the human auditor to the issue to build a classification model for the issue.

Abstract: A technique includes receiving issue data, which represents an issue identified by a security scan of an application and attributes of the issue. The technique includes applying a machine classifier to the issue data to prioritize the issue; based at least in part on a human audit of the classified data, generating additional issue data representing a priority correction for the issue; and retraining the classifier based on the additional issue data.

Abstract: A method of analyzing target software for security vulnerabilities comprises, with a processor, scanning a codebase of a target software using a static analysis scan to identify a number of security flaws, and calculating a number of code metrics of the codebase of the target software for a number of iterations over a period of time to obtain a number of historical scans.

Abstract: A method of analyzing target software for security vulnerabilities comprises, with a processor, scanning a codebase of a target software using a static analysis scan to identify a number of security flaws, and calculating a number of code metrics of the codebase of the target software for a number of iterations over a period of time to obtain a number of historical scans.