Over the years we've had many cases where AppScan users approached our support teams with what they claimed were false positive reports. But when our security experts looked into the details, they turned out to be actual security problems. It happens. We refer to such cases as perceived false positives. These are cases where AppScan found correct issues, but failed to communicate them to the users clearly enough.
At the end of the day, our end users are just people. If AppScan fails to explain itself clearly, it's our problem, not the user's. It's important that we find ways to explain our security findings clearly, simply, and in a convincing way.
So when we set out to write the JSA component in AppScan, we looked for a fresh new way of presenting static analysis results in a manner that is readable and understandable in the simplest possible way.
Some background: the kind of results we deal with involve a data-flow trace. This is somewhat similar to a debugger stack trace, but showing a sequence of locations in source code where data flows through. How do you visualize such data?