The Vendor is required to provide to procure, adopt, and integrate a software as a service (SaaS) solution that will perform static application security scanning.
- The static application security testing (SAST) service will empower public works development teams to proactively scan their code and frameworks for critical defects during code reviews, embracing process concepts such as shift left and security development operations (SecDevOps).
- By integrating this service into the software development lifecycle (SDLC), application developers will receive a vendor-reviewed list of vulnerabilities, reducing false positives and streamlining the deployment process for optimal efficiency.
- Software Requirements
• SAST Solution must be entirely hosted in the cloud by the vendor and must have 99.99% availability.
• SAST licensing must cover 30 contributing application developers and must not be affected by the number of applications or lines of code being scanned.
• Must include source code, and software composition analysis vulnerability scan configurations.
• Must include manual validation testing with security experts to assess results of SAST scans and remove any false positives.
• Must provide clear risk ranking of every source code vulnerability finding (e.g. critical, high, medium, low, informational, etc.)
• Must provide exportable reports that include descriptions of validated application runtime and source code vulnerabilities, along with their associated risk rankings.
• Executive summaries must be available in pdf format, and detailed lists must be provided in excel or csv formats.
• Must provide ongoing scan tuning and configuration tuning for existing applications, to adapt with ongoing application changes.
• Must provide direct access to security professionals both through the online platform, phone, and screen share options, which follow the hours of operations as provided in the “maintenance and support” requirements (g).
• SAST solution must provide data flow analysis that traces the vulnerability finding to the exact line of code.
• Must include software composition analysis (SCA).
• SAST solution must support modern major programming and scripting languages and frameworks, such as .net, asp.net, react, angular, node.js and python.
• SAST solution must integrate out-of-the-box with project management and bug tracking tools, specifically azure DEVOPS, ATLASSIAN JIRA, and Service now.
• SAST solution must integrate with SIEM Microsoft sentinel.
• SAST solutions must be able to Identify vulnerabilities and provide reference to relevant common vulnerabilities and exposures (CVE) identifiers and industry standard list of known security risks (e.g., OWASP top 10, CWE top 25).
• SAST solutions must provide remediation code fixes either as code change or configuration change example for found vulnerabilities.
• The product must provide SSO integration with azure active directory (ad) and role based access control.
• SAST scanning must be accessible and usable as a command-line tool, as well as a plugin for major integrated development environments (IDES) such as visual studio 2022 and visual studio code. Additionally, it must be integrated into continuous integration/continuous deployment (CI/CD) pipelines.
• The tool must seamlessly integrate with Source Code Management (SCM) systems and must support both GitHub and Azure DevOps.
- Contract Period/Term: 1 year