The document discusses the importance of security in software development, particularly focusing on the static analysis of Scala code using Fortify SCA. It highlights the need for organizations to proactively address security vulnerabilities, the cost implications of security breaches, and provides guidance on integrating static analysis into development pipelines. Additionally, it includes personal experiences with identity theft to emphasize vigilance in data security and offers tips for implementing effective security practices.

2. Agenda
• Why are we here?
• A Personal Story
• Cost of Security
• Micro Focus Fortify
• Fortify SCA for Scala
• Demo
• Tips/Suggestions
• Q & A
2

3. Why are we here?
• Security Challenges
• How static analysis can find vulnerabilities in your Scala source code
• What is Fortify?
• How Fortify SCA for Scala can fit into your DevSecOps pipelines
3

4. A Personal Story
• Why security is important to me
• Why we must be vigilant about data security
• Experienced major Identity Theft at the end of 2017
• Debit card compromised 2 weeks ago
4

5. Overall Cost of Security
• Data Breaches
• Company, Customer, PII
• Blow to confidence of teams
• Not a matter of “if”, but rather “when”
• How will your company survive it?
• What is your remediation plan?
5

6. Industry Trends
• Shortage of Security Engineers
• Healthcare is the #1 security risk
• Security is “moving left” in the development lifecycle
• Customers looking to implement security best practices
6

7. Secure Software Development Lifecycle (SSDLC)
7

8. Why Static Analysis?
• First line of defense in your security efforts
• Allows developers to catch problems up front, rather than in production
• Ensure that code paths are secure - method signatures, input/output variables
• Defined rules discover anomalies based on industry standards like OWASP
• Applies to all market segments
8

10. Static code analysis for Scala!
• Lightbend team wrote the frontend/translator for Scala
• Fortify team made sure the translator worked well with our backend to find
vulnerabilities
• Fortify SSR team developed rules for Scala
• We will carry this model forward to extend Scala support to:
• Support major frameworks
• Keep the support up to date
Fortify SCA for Scala
10

11. Fortify SCA for Scala - Highlights
1.0.0 initially released December 2017, latest release 1.0.13
• Fortify SCA 18.2 and 19.1 support
• Fortify on Demand
• Scala 2.11.{6-8,11-12}, 2.12.{3-8}, 2.13.0-RC1
• Akka HTTP Rules
• Additional Compiler Flags - SCA version, output directory, license file location
• Documentation Improvements
• Multi-project builds
• Transitive Dependencies - necessary for deep analysis
11

12. How it Works
1. Translate
2. Scan
3. View Results
12

13. How it Works: Translation
• Scala Compiler Plugin
• Runs late in the compilation process
• Compiles source code directly into JVM Bytecode ...and the necessary Fortify NST files
• Configure build tool of choice - sbt, Maven, Gradle, scalac, scripts
• Integrate into your development pipelines
13

14. How it Works: Scanning
Scans are executed like other Fortify SCA languages
• Scans can run locally
• On a CI/CD server
• Fortify on Demand
Example of running a scan on “my-project” locally
14
$ sourceanalyzer -b my-project -f my-project.fpr -scan

15. How it Works: Viewing Scan Results
View results in the Fortify SCA Auditworkbench
15

16. Vulnerabilities
• Java rulepacks apply to Scala code as well!
• Scala specific knowledge - collections, Play, Akka HTTP
• Fortify Taxonomy: Software Security Errors Site
• Outlines each potential vulnerability that can be surfaced
• 481 weaknesses supported - Java/Scala
16

17. Demo

18. Tips/Suggestions
• Establish Security Champions within your Organizations/Teams
• Initiate a Security Assessment of your systems
• Find the right tools
18

19. Q & A

20. Thank You!
Jeremy Daggett
Solutions Architect
jeremy@lightbend.com