Hi guys, quick question : we are currently running Fortify [https://en.wikipedia.org/wiki/Fortify_Software] in our CI to check for potential vulnerability of our Java code. We plan to migrate some components to Kotlin but Fortify does'nt support Kotlin (yet?).
Do you know something able to do a security audit on Kotlin code ?
10/11/2018, 8:53 AM
Have you asked Fortify on their plans to support Kotlin? What was the answer?
10/11/2018, 8:55 AM
Hi Roman, we haven't yet. It seems like they also can audit the bytecode, but not with the same level of precision.
10/11/2018, 10:29 AM
I was extremely fortunate because my employer was OK with the byte code scan from fortify. I'd start there.
Of course it finds false positives and you need accommodating reviewers as the source code isn't directly available if the scan is done via cli.
10/11/2018, 12:06 PM
Thanks for you feedback Mike
10/11/2018, 12:13 PM
NP. Let me know if you have any other questions. I had to modify our CI process so that Fortify runs differently for Java than for Kotlin, so I became more familiar with Fortify than I wanted to 😉