Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF AUGUST 21, 2024 SAM #8303
SOURCES SOUGHT

99 -- Fortify Alternate Sources

Notice Date
8/19/2024 1:45:22 PM
 
Notice Type
Sources Sought
 
NAICS
513210 —
 
Contracting Office
FA8307 AFLCMC HNCK C3IN SAN ANTONIO TX 78243-7007 USA
 
ZIP Code
78243-7007
 
Solicitation Number
RFI_HNC_Fortify
 
Response Due
8/30/2024 6:00:00 AM
 
Archive Date
09/14/2024
 
Point of Contact
Cassandra Ayala, Karin Werner
 
E-Mail Address
cassandra.ayala.1@us.af.mil, karin.werner.1@us.af.mil
(cassandra.ayala.1@us.af.mil, karin.werner.1@us.af.mil)
 
Description
Our organization is presently utilizing Fortify Static Code Analyzer (SAST) and Fortify Dynamic Application Security Testing (DAST) for ongoing cybersecurity and testing operations. In our pursuit of identifying possible alternative solutions, we are conducting market research to assess products and services that can fulfill the specific criteria outlined below. The organizational objectives of this research are as follows: Identify and catalog available products and solutions in the market. Evaluate the features, functionality, and pricing of each alternative to determine its suitability for our needs. Assess the level of integration and compatibility of each alternative with our DevSecOps platform, while ensuring compliance with DoD security requirements. Estimate the level of government resources required to migrate to a new solution, while maintaining our current operational capabilities. The following are several key characteristics that we are employing to align with our organizational objectives, as previously stated above. Please note that this list is not comprehensive, but it does offer an overview of some of the most critical requirements for our specific environment: To meet DoD CIO DevSecOps Reference Design compliance and perform continuous cybersecurity and testing activities, the tool must provide the following features: Software must be containerized and deployable through helm charts. Language: should support a wide range of programming languages, including popular languages like Java, C++, Python, and JavaScript, as well as C#, TypeScript, CSS, HTML, Go, PHP, Helm, Java, JavaScript, Python, XML, Terraform, Ruby, Scala, Swift, Objective-C, C, C++, PL/SQL, T-SQL, and VB.NET. This broad language support ensures that the tool can be used across different development environments and can identify vulnerabilities in a variety of codebases. Integration: should be able to integrate with other development tools, such as IDEs, build systems, and CI/CD pipelines. Customization: should allow for customization of rules and policies to align with the organization's security standards. Reporting: should provide comprehensive and actionable reports, highlighting vulnerabilities and prioritizing remediation efforts, Ex: should be able to make RestFUL API calls and trigger code scans and pull down the scan results. Compliance: should support compliance with industry standards, such as OWASP Top 10, SANS Top 25, and PCI DSS. Training and support: should provide training and support resources to help developers understand and remediate vulnerabilities. Speed and efficiency: should be able to analyze code quickly and efficiently, minimizing the impact on development cycles. Needs to support SAML integration for Single Sign-On (SSO). Licensing based on the number of lines of code scanned and no restrictions on # of users or frequency of scanning. Licensing based on the number of lines of code scanned and no restrictions on # of users or frequency of scanning. Static application security test and scan (SAST) Static code analysis Source code linting Source code test coverage CI/CD integration Customizable security scanning and reporting The tool must integrate with various package managers to provide security testing during the build process and applications, but as a minimum package managers must include the following: Maven, Gradle, NuGet, NPM, and RubyGems. Dynamic Application Security Testing (DAST) Web application scanning: should be able to scan web applications and APIs to identify security vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Comprehensive testing: should be able to test all layers of the application stack, including the network, application, and database layers. Automated testing: should be able to automate the testing process, reducing the manual effort required to identify security vulnerabilities. Integration with development tools: should be able to integrate with development tools such as IDEs, build systems, and CI/CD pipelines to provide a seamless integration of security testing into the development process. Reporting and remediation: should be able to provide detailed reports of security vulnerabilities and recommend remediation steps to address them. Support for a wide range of technologies: should support a wide range of technologies, including web application frameworks, programming languages, and protocols, to ensure comprehensive coverage of the application stack. Scalability: should be able to scale to handle large web applications and APIs, as well as multiple applications and services. � � � � � � � � � Our organization will consider both commercial and open-source solutions.
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/594be2491c6b4b73978420aaee039ef5/view)
 
Place of Performance
Address: San Antonio, TX, USA
Country: USA
 
Record
SN07176831-F 20240821/240819230124 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.