You are on page 1of 28

WEBINAR




Why static analysis?

● Catch problems during development…


● ...before they hit production
Why Fortify SCA?

● Established industry leader


● Strong support for Java / JVM
● Flexible cross-language technology
Why Lightbend?

● Leverage the Scala team’s expertise


Scala compiler development lives at Lightbend

● Leverage the existing Scala compiler


Fortify SCA uses the real, actual Scala compiler
...to understand the real, actual Scala language
Can I use it?

When can I use it?


Who can use it?
● required: Fortify SCA license
https://software.microfocus.com/en-us/software/sca/details

● required: Lightbend subscription


https://www.lightbend.com/subscription
includes support
includes the entire Lightbend Enterprise Suite
Who can use it?

● Scala 2.12 and 2.11 all language features

● Java 8 soon: 9 too

● Any build tool sbt, Maven, Gradle, plain scalac...

● Windows, MacOS, Linux


When can I use it?

● Preview version already in use


by select customers
● Available to all customers in a few weeks

as of November 16, 2017


How it works
How it works

● Step 1: Translate
● Step 2: Scan
● Step 3: View results

details in demo
How it works: Translation source code

● Scala compiler plugin


● Runs very late in compilation
just before bytecode is emitted ...

similar to Scala.js, Scala Native

Fortify JVM bytecode


How it works: Translation

● Add the compiler plugin to your build


● Integrating translation with your existing build
ensures fidelity
same code, compiled with same compiler version, with same flags...
How it works: Translation

credentials += ...

resolvers += ...

addCompilerPlugin(...)
scalacOptions += ...
details in demo
How it works: Scanning

● Same as any other language supported by


Fortify SCA
● Scan locally or on CI server
How it works: View results

● at command line or in GUI

details in demo
Vulnerabilities

● Java rulebase applies to Scala code as well


● Scala-specific knowledge includes Play,
sys.process, tracking data flow through
collections API
Sample vulnerabilities
● Demo repo shows:
○ Command Injection
○ Cross-Site Scripting
○ Open Redirect
○ Server-Side Request Forgery
Planned features

● sbt plugin
● coverage for more libraries and frameworks
● support Fortify on Demand
● …?
It’s demo time!

● let’s see it in action on a sample project


https://github.com/lightbend/play-webgoat
To reiterate...
● required: Fortify SCA license
https://software.microfocus.com/en-us/software/sca/details

● required: Lightbend subscription


https://www.lightbend.com/subscription
includes support
includes the entire Lightbend Enterprise Suite
Next Steps

Interested in the Fortify Scala Plugin?

lightbend.com/fortify
Q&A