Fortify and native source code analysis of Android and iOS applications.

Hello,

I have some questions regarding scanning the native source code for IOS and Android.

Can someone help me?

- Is it market practice to inspect (SAST) the NATIVE source code of Android and iOS Apps directly in the CI/CD process?

a) What is the security policy applied in the Fortify tool?
- Is the use of translation mandatory?
- Is it necessary to use all analyzers?
- Is it necessary to use all the rules in the Rulepacks?

b) Is there a set of specific good practices that should be followed?
- Settings to find more problems
- Settings to improve scanning performance (important)

- If it is not a good practice to perform inspection (SAST) on the NATIVE code of Mobile Apps, what is the best practice to follow using tools from the Fortify suite?

There are Scancentral SAST commands to improve the performance of these checks in iOS and Android source code.