Ensuring Compliance During Development

Engage the Compliance bodies early in the development stage. See About the Mobile App Compliance Review for summaries of all of the Compliance Bodies reviews.

Note: Resolving all review issues during development does not guarantee your App can pass the formal reviews that occur during the Compliance Review Stage.

Product Component Test

VA analyzes VA App code several different times, and developers must perform a static code analysis during the development stage. VA provides the HP Fortify suite for this analysis. Developers get immediate feedback regarding security vulnerabilities and remediate these issues before sending the product on for further review by the other reviewers. Bugs quashed early cost far less than those that have to be negotiated through later phases in the SDLC. The Fortify tools create a code review analysis file that must be submitted to the Software Assurance (SwA) Program along with the baseline of code to be reviewed. As part of this process there may be false positives identified by the tool and the response to these findings should be specified in the code review file. The final build of the product to be released for compliance review should be supplied to the SwA Program Office. The Point of Contact for the Component Test is usually the Project Manager.

If you have an MAE JIRA account you can read about all of the code scans at the following address:

About the Security Scans at https://wiki.mobilehealth.va.gov/display/DevHelp/About+the+Security+Scans