WavebreakmediaMicro - Fotolia
Synopsys has introduced a new application security tool that combines the best of static application security testing and software composition analysis capabilities.
The new capabilities come in the form of an update to the company's Polaris Software Integrity Platform's Code Sight IDE plug-in, which can reside in developers' desktops. The combined static application security testing (SAST) and software composition analysis (SCA) capabilities will help developers find and fix bugs and security vulnerabilities in proprietary code, as well as known weaknesses in open source code at the same time, without having to leave the confines of their favorite IDE.
According to experts, while this is a positive move for developers, it is not necessarily or completely unprecedented. Blending SAST and SCA capabilities in a single platform has been done before, but usually at the expense of the robustness of one method or the other, said Chris Gonsalves, senior vice president of research at The 2112 Group in Port Washington, N.Y.
Chris GonsalvesSVP of research, The 2112 Group
"In the ongoing battle to improve security in the application development environment, there are three things that are important: speed, speed and speed," Gonsalves said. "If we're being sincere about really wanting to bake security into development, the infosec mindset needs to move as far to the left on the timeline as possible."
Speed was indeed a factor in the Synopsis strategy to not only focus more on security, but also to do it quickly by enabling developers to fix bugs in real time and avoid security issues going undetected for long periods, said Patrick Carey, director of product marketing in the software integrity group at Synopsys.
The update to Synopsys' Polaris platform brings together static and open source vulnerability scanning on the developer's workstation, where coders can get immediate feedback and take immediate action on two important subsets of security issues before the troublesome code can get too far down the road toward production.
While there are other security companies that have provided support for either SAST or SCA security testing, they did not allow developers to test both simultaneously in the way that Synopsys is with the new Code Sight release, according to Carey.
"Developers were always faced with kind of the clunky workflow where they could use one tool to address one type of security risk, and then they'd have to go and use another," Carey said. "We see the walls between those two tearing down, and developers are just looking for something to help them build secure code."
A focus on visibility
The Code Sight plug-in offers information on known vulnerabilities listed in Black Duck Security Advisories (BDSAs), as well as public Common Vulnerabilities and Exposures (CVE) records from the National Vulnerability Database (NVD). The BDSAs give developers more timely and accurate information than is available in the NVD, Carey said.
The plug-in also gives developers information on the best fixes for the problems it uncovers and directs them to more secure versions of the components they are using. In addition, the plug-in provides information about open source license risks and potential security and license compliance issues.
SCA testing came about because so much code is built on open source libraries these days, said Sandy Carielli, an analyst at Forrester Research.
"SCA is great for being able to scan your product to determine what open source libraries may exist in it, and whether there are vulnerable versions, so that you know whether you might need to upgrade the version of the library you're using in some cases," Carielli said. "SCA can also be used to help you understand if you have multiple versions of the same library. Or if you may have licensing issues -- maybe you're using a particular library with a particularly restrictive license."
Synopsys will release the updates Code Sight plug-in on Feb. 18 and will showcase the technology at the RSA Conference 2020 in San Francisco on Feb. 24 to 28.
"Again, the real star here is speed," Gonsalves reiterated. "Wringing vulnerabilities out of app dev as early as possible right in the IDE not only makes code more secure, it exponentially increases the efficiency of the application development lifecycle by reducing the rework required when bugs crop up late in the game."