Scribd
Upload
253 views28 pages

Developing Secure Scala Applications With Fortify For Scala

From banks to airlines to credit rating agencies, security continues to be a major focus for organizations across various industries. As the newspapers show, it’s heavily damaging to enterprises when security vulnerabilities in their code, infrastructure, or open source frameworks/libraries get exploited. The good news is that your Scala development team now has a powerful ally for securing their applications. Co-developed by the Fortify team along with Lightbend, the upcoming Fortify for Scala Plugin is the only Static Application Security Testing (SAST) solution to use the official Scala compiler. This plugin automatically identifies code-level security vulnerabilities early in the SDLC, so you can confidently and reliably secure your mission-critical Scala-based applications. In this webinar by Seth Tisue, Scala Committer and Senior Scala Engineer at Lightbend, and Poonam Yadav, Product Manager for Fortify at Micro Focus, you will learn about: * Some of the more than 200 vulnerabilities that the Fortify plugin for Scala can catch and help you resolve, * How the plugin works to analyze, identify and provide actionable recommendations, * How to integrate it into your modern DevOps environment, * Why this plugin was co-developed by Lightbend and the Fortify team, and how it benefits your organization’s security professionals / CISO office.

Uploaded by

Ivan Kuraj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
253 views28 pages

Developing Secure Scala Applications With Fortify For Scala

From banks to airlines to credit rating agencies, security continues to be a major focus for organizations across various industries. As the newspapers show, it’s heavily damaging to enterprises when security vulnerabilities in their code, infrastructure, or open source frameworks/libraries get exploited. The good news is that your Scala development team now has a powerful ally for securing their applications. Co-developed by the Fortify team along with Lightbend, the upcoming Fortify for Scala Plugin is the only Static Application Security Testing (SAST) solution to use the official Scala compiler. This plugin automatically identifies code-level security vulnerabilities early in the SDLC, so you can confidently and reliably secure your mission-critical Scala-based applications. In this webinar by Seth Tisue, Scala Committer and Senior Scala Engineer at Lightbend, and Poonam Yadav, Product Manager for Fortify at Micro Focus, you will learn about: * Some of the more than 200 vulnerabilities that the Fortify plugin for Scala can catch and help you resolve, * How the plugin works to analyze, identify and provide actionable recommendations, * How to integrate it into your modern DevOps environment, * Why this plugin was co-developed by Lightbend and the Fortify team, and how it benefits your organization’s security professionals / CISO office.

Uploaded by

Ivan Kuraj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

WEBINAR




Why static analysis?

● Catch problems during development…


● ...before they hit production
Why Fortify SCA?

● Established industry leader


● Strong support for Java / JVM
● Flexible cross-language technology
Why Lightbend?

● Leverage the Scala team’s expertise


Scala compiler development lives at Lightbend

● Leverage the existing Scala compiler


Fortify SCA uses the real, actual Scala compiler
...to understand the real, actual Scala language
Can I use it?

When can I use it?


Who can use it?
● required: Fortify SCA license
https://software.microfocus.com/en-us/software/sca/details

● required: Lightbend subscription


https://www.lightbend.com/subscription
includes support
includes the entire Lightbend Enterprise Suite
Who can use it?

● Scala 2.12 and 2.11 all language features

● Java 8 soon: 9 too

● Any build tool sbt, Maven, Gradle, plain scalac...

● Windows, MacOS, Linux


When can I use it?

● Preview version already in use


by select customers
● Available to all customers in a few weeks

as of November 16, 2017


How it works
How it works

● Step 1: Translate
● Step 2: Scan
● Step 3: View results

details in demo
How it works: Translation source code

● Scala compiler plugin


● Runs very late in compilation
just before bytecode is emitted ...

similar to Scala.js, Scala Native

Fortify JVM bytecode


How it works: Translation

● Add the compiler plugin to your build


● Integrating translation with your existing build
ensures fidelity
same code, compiled with same compiler version, with same flags...
How it works: Translation

credentials += ...

resolvers += ...

addCompilerPlugin(...)
scalacOptions += ...
details in demo
How it works: Scanning

● Same as any other language supported by


Fortify SCA
● Scan locally or on CI server
How it works: View results

● at command line or in GUI

details in demo
Vulnerabilities

● Java rulebase applies to Scala code as well


● Scala-specific knowledge includes Play,
sys.process, tracking data flow through
collections API
Sample vulnerabilities
● Demo repo shows:
○ Command Injection
○ Cross-Site Scripting
○ Open Redirect
○ Server-Side Request Forgery
Planned features

● sbt plugin
● coverage for more libraries and frameworks
● support Fortify on Demand
● …?
It’s demo time!

● let’s see it in action on a sample project


https://github.com/lightbend/play-webgoat
To reiterate...
● required: Fortify SCA license
https://software.microfocus.com/en-us/software/sca/details

● required: Lightbend subscription


https://www.lightbend.com/subscription
includes support
includes the entire Lightbend Enterprise Suite
Next Steps

Interested in the Fortify Scala Plugin?

lightbend.com/fortify
Q&A

You might also like