What does an integrated Fortify code scanning solution look like?
Question
The VA enterprise-licensed Fortify installers have been made available to me. What does an integrated Fortify code scanning solution look like? How should I deploy the software in my environment?
Answer
There are several potential touchpoints to consider when deploying Fortify. For example:
- IDE plugins and build scripts, for example invoke scans while writing code using the Visual Studio plugin
- Client-side version control system hooks, for example automatically invoke a scan or display current scan state in a Git pre-commit hook
- Server-side version control system hooks, for example automatically invoke a scan or display current scan state in a Git pull request
- Scheduled build jobs as a part of Continuous Integration, for example scheduled Jenkins build jobs for scans that may take a long time to run
- Process certification during software factory verify & operate and monitor phases, for example subject matter expert review of Fortify scan files produced by the pipeline as a means to verify Fortify tool integration and associated workflows, where the timing of such reviews are done periodically based on software factory phases, as opposed to application lifecycle phases
The determination as to which touchpoints are appropriate to integrate Fortify into will depend on how code is being written and built for your particular application’s environment.
Since, not all of the above-listed touchpoints are available in all development environments. And, there may be project or organization-specific requirements driving integration at certain touchpoints.
For example, Fortify scans are required to be periodically reviewed by OIS Software Assurance as part of the ATO process for DevSecOps environments, as effectively a certification to increase confidence in the security of ongoing automated code deliveries & deployments.