PW is seeking to procure, adopt, and integrate a Software as a Service (SaaS) solution that will perform Static Application Security Scanning as outlined below. This document provides a high-level overview of the background and objectives. The requirements to achieve these goals are detailed in Sections B through G. • The Static Application Security Testing (SAST) service will empower Public Works development teams to proactively scan their code and frameworks for critical defects during code reviews, embracing process concepts such as Shift Left and Security Development Operations (SecDevOps). By integrating this service into the Software Development Lifecycle (SDLC), application developers will receive a vendor-reviewed list of vulnerabilities, reducing false positives and streamlining the deployment process for optimal efficiency. • Remediation guidance provided by security engineers must be included as part of the service/solution. • The service must include scan configurations provided by trained security engineers. • Manual vulnerability assessment and validation to remove any false positives must be included.
