How are Fortify scans different than code review

Question

How is using Fortify/CodeQL/Snyk different than the code reviews we already do?

Answer

Manual code review after code has been written and automated tests have been run and passed, but before the code is merged upstream, for any obvious logic errors, for making sure requirements are implemented, for making sure new automated tests are sufficient for the new code, for making sure project style guidelines are being followed, and so on are not the same as scanning code using Fortify.

• To fulfill the DevSecOps promise of repeatable, efficient integration of security into all aspects of DevOps, static security testing must be integrated into the CI/CD pipeline.
• Integration of Fortify into the CI/CD pipeline gives an emphasis to security as a functional requirement on par with other testing such as unit and integration testing.
• SAST scans the entire application so it can detect how changes affect the security of the application as a whole. Manual code review generally only looks at the local effects of the changes.
• SAST tools apply a very broad set of security knowledge to the security testing, while manual review will provide a narrower set of security knowledge though with more application-specific knowledge.

Scanning source code using OIS-licensed Fortify SCA, CodeQL, or Snyk is required at VA during development and maintenance of custom-developed applications, as per the OIS Authorization Requirements SOP. Scanning source code using these tools is generally performed in addition to, not instead of, manual reviews as described above. Fortify scans specifically for potential security issues in source code.

SAST tool scans are generally integrated into CI/CD pipeline stages. The scans are performed according to pipeline configuration and can be configured to provide build failure information (see here for Fortify configuration). SAST scans are typically configured to scan the entire codebase each time they are performed.