This document discusses the implementation of mobile Static Application Security Testing (SAST) within a DevSecOps framework, highlighting the benefits of a secure Software Development Life Cycle (SDLC). It outlines the advantages and disadvantages of SAST, including its ease of integration into Integrated Development Environments (IDEs) and CI/CD pipelines, while also detailing specific integration steps and configurations for tools like FindBugs. The document concludes with references and resources for further reading on source code analysis tools.

1. MOBILE SAST
IMPLEMENTATION

2. TABLE OF
CONTENT
 INTRODUCTION
 OVERVIEW OF DEVSECOPS
 SECURE SDLC BENEFITS
 ADVANTAGES & DISADVANTAGES OF
SAST
 INTEGRATION OF SAST IN IDE
 INTEGRATION OF SAST INTO CI/CD
 REFERENCES

3. SSDLC BENEFITS
 Build secure software
 Creates Awareness of security
 Early Detection of vulnerabilities
 Overall reduction of risks for the
organization

4. ADVANTAGES & DISADVANTGES OF SAST
ADVANTAGES
 Largely usable in developer IDEs to
detect issues even before CI.
 Easy to trigger from CI/CD
 Early Detection of vulnerabilities
 Building the Secure Software
DISADVANTAGES
 Take a considerable amount of
effort if tool is adopted mid-
project.
 Integration effort
 Non-Functional requirement
 Requires time to analyze the false
positive

5. IDE INTEGRATION & customize
 Click on ANDROID STUDIO and then select Preferences
 Click on Plugins and then click on browse repository
 Search and Install FindBugs-IDEA (Restart your IDE)
 Navigate to other settings under preference tab.
 Click on FindBugs-IDEA and add it by clicking + icon
 Navigate to Report tab and select SECURITY
 Finally click on Apply and Save.
 Just right click on the project and select Analyze Project Files under FindBugs
 Reports can be exported to both HTML & XML format.

6. INTEGRATION WITH CICD
Add the below code under build.gradle file (present under app directory)
dependencies {
implementation fileTree(include: ['*.jar'], dir: 'libs')
implementation 'com.google.android.gms:play-services:7.5.0'
implementation 'com.github.marcohc:Toasteroid:2.1.4'
findbugs 'com.google.code.findbugs:findbugs:3.0.1'
findbugs configurations.findbugsPlugins.dependencies
findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4'
}
//FindBugs task that load security rules only
task findSecurityBugs(type: FindBugs) {
classes = fileTree("$project.buildDir/app/build/intermediates/javac/release/compileReleaseJavaWithJavac/classes/com/android/insecurebankv2/")
source = fileTree('/src/main/java/')
classpath = files()
pluginClasspath = project.configurations.findbugsPlugins
findbugs {
toolVersion = "3.0.1"
ignoreFailures = true
reportsDir = file("$project.buildDir/findbugsReports")
effort = "max"
reportLevel = "low"
includeFilter = file("$project.rootDir/fsb-include.xml")
excludeFilter = file("$project.rootDir/fsb-exclude.xml")
}

7. Adding NEW FILES
 Create a File by name ’fsb-include.xml’ and ‘fsb-exclude.xml’
 Add both of these files into the project directory
 Add the below content into ‘fsb-exclude.xml’ file.
<FindBugsFilter>
</FindBugsFilter>
 Add the below content into ‘fsb-include.xml file.
<FindBugsFilter>
<Match>
<Bug category="SECURITY"/>
</Match>
</FindBugsFilter>
 Execute the gradle by running the below commands.
./gradlew build
./gradlew findSecurityBugs

8. Folder Structure

9. CONFIGURE JENKINS JOB

10. Publish REPORTS

12. Reference
 https://www.owasp.org/index.php/Source_Code
_Analysis_Tools
 https://find-sec-bugs.github.io/
 https://github.com/find-sec-bugs/find-sec-
bugs/wiki/Gradle-configuration
 https://github.com/sanjeevakuamr/InsecureBan
kv2-FindBugs