Transforming AppSec

The Top Three Ways to Build Security into DevOps

Executive Summary
Today’s approach to application security relies on resource-intensive testing, triage, and vulnerability remediation
performed late in the software development life cycle. This results in a backlog of vulnerabilities that often
overwhelm development and security teams’ ability to fix them before they’re released into production.
To build security into DevOps and achieve true DevSecOps, organizations need to adopt a new approach that
provides intelligent, context-aware application security risk management.
This eBook details three facets of this new approach.
• Empower your developers to secure code as fast as they write it
• Run the right tests at the right time
• Cut through the noise of findings and focus on what matters most

| synopsys.com | 2
 Organizations need to
adopt a new approach
that provides intelligent,
context-aware application
security risk management.
The Status Quo: Velocity over Security
As organizations adopt DevOps, the speed and complexity of software development has increased. In response, security and development
teams are working in tandem to streamline testing by integrating application security testing (AST) tools into DevOps workflows. But
integrating security introduces several hurdles that offset the time-savings of DevOps—hurdles such as wading through numerous or
redundant findings, extraneous testing, and an inability to triage or understand how to remediate known vulnerabilities. These challenges
have caused many DevOps initiatives to stall or fail, leaving applications less than fully tested—and less than fully secure.

Today applications are an attractive vector for cybercriminals to target, making software risk a business risk that extends all the way
to a company’s bottom line. Many web, mobile, and microservice applications reside beyond the firewall, but they still provide access
to sensitive data and other systems inside the protected network. Cybercriminals have learned it’s often easier to target vulnerable
applications than an organization’s network infrastructure. Indeed, nearly 50% of all data breaches over the last several years have
exploited application vulnerabilities.1

These breaches are also increasingly expensive. The average financial impact of a data breach rose from $3.86 million in 2020 to $4.24
million in 2021—the highest average in the 17-year history of the IBM “Cost of a Data Breach Report 2021.”2

These statistics make the findings of a recent study by Enterprise Strategy Group (ESG) all the more alarming: 79% of organizations
admitted to pushing application changes into production with known vulnerabilities. When asked why, 54% said the need to meet critical
deadlines forced teams to prioritize releasing vulnerable code instead of fixing it. This, despite 70% of the same organizations utilizing 11
or more AST tools at any given time.3

Clearly, the legacy approach to application security (AppSec), which “tacks on” testing, triage, and remediation to DevOps, is not keeping
pace with modern software development or the threats presented by today’s cybercriminals.

A new approach to AppSec is needed—one that addresses business risk without impeding business progress, removes the false choice
between speed and security, and makes the promise of DevSecOps a reality.

The New Generation of AppSec: Achieving Security Velocity

To build security into DevOps and achieve true DevSecOps, organizations need to manage AppSec workflows without hindering speed
and flexibility. This requires integrating AppSec at every stage of the software development life cycle (SDLC) and giving security and
development teams a global view of software risk, critical vulnerabilities, and workflow management across tools, personas, and
operations. Doing so would enable intelligent, context-aware application security risk management.

But how do you get there?

As software development processes and tools become more modular, integrated, and automated, so too must the tools and processes used
to secure software. This is especially true for the security tools that are “shifting left” in the SDLC and reaching the developer’s desktop.

But DevSecOps isn’t simply about integrating and automating AST tools. It’s about intelligently running the right tests at the right time
and giving teams the ability to focus on the issues that matter most to their business. Organizations that succeed in these areas will turn
software security initiatives from a productivity inhibitor into a business enabler and competitive advantage.

| synopsys.com | 3
Empower Your Developers to Secure Code as Fast as They Write It
The lowest-cost vulnerability to remediate is the one that never makes it into the codebase. Giving developers tools that allow them to fix
issues before they commit their code to the build pipeline reduces strain on downstream testing.

But most developers are not security experts. And unfortunately, tools that are optimized for security teams are often too complex
and disruptive to be embraced by developers. To make matters worse, security tools often require developers to leave their integrated
development environments (IDEs) to analyze issues and determine appropriate fixes. But constantly switching tools and contexts is a
productivity killer.

The solution: Fast, lightweight AppSec analysis in the IDE

Developers need an IDE-based AppSec solution that helps them find and fix security issues on the fly, while they code, without switching
tools or interrupting their workflows. The solution should combine integrated static application security testing (SAST) and integrated
software composition analysis (SCA) to provide real-time alerts and visibility into security weaknesses in proprietary code and known
vulnerabilities in open source dependencies.

Code Sight by Synopsys

Code Sight™ offers these benefits as well as insight into unsecured infrastructure-as-code (IaC) configurations, potential secrets or
sensitive data leakage risks, and vulnerable API usage.

Code Sight analyzes large codebases in seconds; it scans WebGoat in 3 seconds and Apache Hadoop in 10 seconds. It offers detailed
remediation guidance directly in the IDE, helping developers fix issues fast and improve code quality.

Code Sight’s integrated SAST automatically scans and analyzes source code and IaC files as developers work. It highlights detected
issues in the editor window for easy identification. Hovering over a highlighted line of code displays issue descriptions and remediation
guidance, allowing developers to fix many vulnerabilities with a single click.

Code Sight’s integrated SCA detects known security vulnerabilities in both direct and transitive open source dependencies. It identifies the
vulnerability as well as the Common Vulnerabilities and Exposures (CVE) and Black Duck® Security Advisory ID directly in the IDE. It also
provides severity information based on Common Vulnerability Scoring System (CVSS) scores to help prioritize which issues to fix first.
Remediation guidance helps developers select the next available vulnerability-free or lower-risk version of the component.

Code Sight is unique in that it embeds market-leading open source and code analysis technology, optimized for the speed requirements of
developers, directly within the tools they are already using. It proactively improves an organization’s security posture while saving time and
money.

Get a free 30-day trial of Code Sight by Synopsys Try now

| synopsys.com | 4
Run the Right Test at the Right Time
Choosing the right type of AST tool requires several considerations: the environment in which the tool is deployed, the types of software
flaws it searches for, the programming languages the vendor is compatible with, and the stage of the SDLC when testing is run. For this
reason, most organizations use a variety of AST tools, including proprietary and third-party/commercial dynamic application security
testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis
(SCA). According to ESG, 70% of firms use more than 11 AST tools, and 27% use more than 25 AST tools.4

Although many tools offer direct integration with DevOps pipelines, teams often struggle with the complexity and time lags this
automation introduces. Automating full scans with every build can clog pipelines and overwhelm developers with findings “noise.”

The challenges of integrating and automating AST tools include

• Lengthy scan cycles. DevOps build pipelines run in a matter of seconds to a few minutes, but AppSec tool scans often take several
hours. Factor in multiple forms of analysis (SAST, DAST, SCA, etc.) and the problem is compounded, turning remediation hours into days
or even weeks.
• Too many findings. Integrating and automating full AST scans into continuous integration pipelines cause an overwhelming volume
(and duplication) of results, even if only small percentages are problematic enough to require developer attention. Teams get bogged
down in triage and remediation, leading to delivery schedules taking precedence over security concerns.
• Proliferation of tools and scans. Running multiple testing tools at different points of the SDLC can produce duplicate results that need
to be correlated and deduplicated later. Most teams fail to merge related findings, increasing the backlog of remediation activities.

Smaller, purpose-built tests that

can be run intelligently–at the
right time, to the right depth, and
on the right application–relieve
congestion and keep DevOps
pipelines running smoothly.
The solution: Application security testing orchestration
Smaller, purpose-built tests that can be run intelligently—at the right time, to the right depth, and on the right application—relieve
congestion and keep DevOps pipelines running smoothly. To do this, organizations need an application security testing orchestration
(ASTO) solution to stitch together disparate tools and processes and coordinate their execution automatically.

ASTO tools integrate security tooling across the SDLC by acting as middleware between

• Development, including IDE, continuous integration/continuous delivery (CI/CD) systems, and bug-tracking
• Operations, including container orchestration engines and continuous configuration automation
• Security, including scanning tools and vulnerability management
Per Gartner, “ASTO solutions aid security, development, and operations teams in coordinating the many security tests that should be
performed on code. As such, these solutions can be a significant enabler in implementing DevSecOps initiatives, and they promise
substantial benefits in terms of more consistent testing and smoother operations.”5

In practice, ASTO solutions automatically run the right security tools or trigger manual testing activities based on the significance of code
changes, total risk score, and your organization’s security policies.

| synopsys.com | 5
Intelligent Orchestration by Synopsys
With Intelligent Orchestration, you gain the option of running your ASTO solution directly in the build/release pipeline; in a separate,
isolated pipeline; or through a separate execution environment. The isolated pipeline runs parallel to existing pipelines and integrates into
them via APIs (see Figure 1 below). You also get the added benefit of integrating with third-party tools, whether on premises or in the
cloud.

Figure 1. The isolated testing pipeline

Intelligent Orchestration also allows organizations to set policies-as-code, defining the rules for which tests to run and when, and to enact
the policies programmatically via API. For example, you can set risk scores based on criteria such as whether an application is internet-
facing, business-critical, contains restricted data, includes critical open vulnerabilities, or has had significant code changes. You can
customize the score ranges and types of tools to run based on predetermined policies, compliance, and governance requirements.

Intelligent Orchestration can also initiate manual or out-of-band activities, such as code reviews and penetration tests, through existing
defect-tracking systems and communication channels. This enables security and development teams to implement coordinated
workflows that align security compliance objectives with application development and release milestones (see Figure 2 below).

Plan Code Build Test Deploy Operate

• Threat • SAST • SAST • DAST • Penetration • Configure

modeling • SCA • SCA • IAST testing review
• Design • Malicious code • Binary • Fuzzing • Container • Red teaming
review prevention analysis image scan • Security audits
• Malicious code
detection

Figure 2. Run the right test at the right time, as well as manual and out-of-band activities

With ASTO solutions like Intelligent Orchestration

• Developers spend less time chasing low-priority defects and more time fixing the ones that present the highest business risk
• DevOps engineers add security checks into their existing workflows without breaking them or slowing them down
• AppSec teams ensure compliance with risk policies and integrate manual and out-of-band activities with DevOps workflows

See how Intelligent Orchestration can help you

Learn more
perform the right test at the right time
| synopsys.com | 6
Cut Through the Noise of Findings and Focus on What Matters Most
With most organizations running 11 or more AST tools, and with each scan of each tool producing hundreds or even thousands of
findings, it’s easy to see how results can get too unwieldy to manage and triage. Even if you’re using an ASTO solution to limit the front-
end load, you will likely struggle to rationalize the disparate findings from different tests, aggregate them into a single source of truth, and
prioritize them based on your organization’s risk posture and policies.

It’s no wonder that many security and development teams struggle to answer basic questions such as

• When was my software tested?

• What was found?
• Where do my vulnerabilities come from?
• What is the extent of my exposure/exploitability?
• What was fixed?
Three main issues prevent teams and their executives from answering these questions.

• People. The responsibility for AppSec is split across many teams (Development, QA, AppSec, etc.) and even across projects. Each team
is often narrowly focused on its particular component or SDLC phase.
• Process. Manual activities like code reviews and penetration tests are often not coordinated with automated testing activities.
• Technology. Teams must pull findings from the multitude of AST tools they use, which categorize and prioritize findings differently. This
makes it difficult to manually normalize and correlate results between them.

The solution: Application vulnerability correlation

The inability to pinpoint vulnerable software, centralize and prioritize critical findings, and track the progress of remediation efforts has led
many organizations to implement an application vulnerability correlation (AVC) solution.

AVC tools provide workflow and process management capabilities that help streamline vulnerability remediation in the SDLC by
normalizing AST results to a common nomenclature. They also correlate findings from myriad security testing tools and data sources
in a central repository, filter our duplicate results, and assess the exploitability and severity of a vulnerability, making remediation and
prioritization of security activities more effective. AVC tools optimize the triage process and reduce friction between security and
development teams by automating the process flow between people, processes, and technology.

| synopsys.com | 7
Code Dx by Synopsys
Code Dx integrates all your AST results into a centralized location and automates the most time-intensive tasks to speed up testing and
remediation (see Figure 3 below).

Without automation With automation

No bird’s-eye view of results One centralized platform to see everything

Difficult to scale AppSec with DevOps Scale on demand
Friction between security and DevOps teas Security and developement work in harmony
Vulnerabilities found too late in SDLC Save remediation costs by fixing earlier in SDLC
No centralized record of AppSec processes AppSec system of record for accountability

Figure 3. The benefits of an ASOC approach

Code Dx

• Correlates results from all your AST tools (static, dynamic, commercial, and open source) into a single console
• Prioritizes vulnerabilities using machine learning to predict which vulnerabilities are most critical to your organization and
automatically sends high-priority ones to your developers’ issue-trackers (e.g., Jira) for remediation
• Tracks remediation activities in a system of record to manage accountability and assign tasks to specific team members
• Centralizes risk visibility to provide a 360-degree view of risk for all applications (custom code, third-party components, and network)
where your software resides
Code Dx fits seamlessly into the CI/CD pipeline, consolidating all your AppSec activities into a single place. Because Code Dx has two-way
integrations with issue-trackers like Jira, your development team never has to interact directly with any application analyzers.

The Key to AppSec Efficiency: Application Security Orchestration and

Correlation
Clearly, the rate and complexity of today’s software development requires automation. This includes running the right security tools at the
right time as well as managing and triaging the results. The growing adoption of security automation led Gartner to define a new category
of solutions that merged ASTO and AVC into one: application security orchestration and correlation (ASOC).

ASOC solutions like Intelligent Orchestration and Code Dx provide the automation needed to scale security testing and identify and
conduct the most impactful security activities. This enables stakeholders across security and development to keep up with DevOps
pipelines, while still allowing granular control over each step of the process.

ASOC tools

• Automate the deployment of the right tools at the right time

• Allow granular policy enforcement
• Aggregate, deduplicate, normalize, and correlate findings
• Provide audit control and reporting to support organizational and regulatory standards

See how Code Dx can help you prioritize AST

findings so your development and AppSec Learn more
teams can focus on what matters most
| synopsys.com | 8
Conclusion
As you look to accelerate software development, these three pillars will help mitigate software risk and keep your internal operations
resilient. Synopsys offers a layered approach to security and development teams to accomplish this. Code Sight provides developers with
a quick analysis of source code and remediation guidance to implement security on the ground level. Intelligent Orchestration and Code
Dx comprise a complete ASOC solution that enables organizations to gain an AppSec system of record, coordinate testing intelligently,
and gauge their most impactful security activities based on risk.

References
1. Terry Ray, Billions of Compromised Records and Counting: Why the Application Layer is Still the Front Door for Data Breaches, Threatpost.com, June 8, 2021.
2. IBM.com, Cost of a Data Breach Report 2021, IBM, 2021.
3. Dave Gruber, Cracking the Code of DevSecOps, ESG, June 2021.
4. Ibid.
5. Ayal Tirosh, Hype Cycle for Application Security, 2017, Gartner, July 28, 2017.

Learn more about our solutions for

Learn more
DevSecOps and request a demo today

The Synopsys difference

Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software,
accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the
most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing
investments to build the security program that’s best for them. Only Synopsys offers everything you need to build trust in your software.

For more information about the Synopsys Synopsys, Inc. U.S. Sales: 800.873.8193
Software Integrity Group, visit us online at 690 E Middlefield Road International Sales: +1 415.321.5237
www.synopsys.com/software. Mountain View, CA 94043 USA Email: [email protected]

©2022 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. March 2022

| synopsys.com | 9