Eb Transforming Appsec
Eb Transforming Appsec
| synopsys.com | 2
Organizations need to
adopt a new approach
that provides intelligent,
context-aware application
security risk management.
The Status Quo: Velocity over Security
As organizations adopt DevOps, the speed and complexity of software development has increased. In response, security and development
teams are working in tandem to streamline testing by integrating application security testing (AST) tools into DevOps workflows. But
integrating security introduces several hurdles that offset the time-savings of DevOps—hurdles such as wading through numerous or
redundant findings, extraneous testing, and an inability to triage or understand how to remediate known vulnerabilities. These challenges
have caused many DevOps initiatives to stall or fail, leaving applications less than fully tested—and less than fully secure.
Today applications are an attractive vector for cybercriminals to target, making software risk a business risk that extends all the way
to a company’s bottom line. Many web, mobile, and microservice applications reside beyond the firewall, but they still provide access
to sensitive data and other systems inside the protected network. Cybercriminals have learned it’s often easier to target vulnerable
applications than an organization’s network infrastructure. Indeed, nearly 50% of all data breaches over the last several years have
exploited application vulnerabilities.1
These breaches are also increasingly expensive. The average financial impact of a data breach rose from $3.86 million in 2020 to $4.24
million in 2021—the highest average in the 17-year history of the IBM “Cost of a Data Breach Report 2021.”2
These statistics make the findings of a recent study by Enterprise Strategy Group (ESG) all the more alarming: 79% of organizations
admitted to pushing application changes into production with known vulnerabilities. When asked why, 54% said the need to meet critical
deadlines forced teams to prioritize releasing vulnerable code instead of fixing it. This, despite 70% of the same organizations utilizing 11
or more AST tools at any given time.3
Clearly, the legacy approach to application security (AppSec), which “tacks on” testing, triage, and remediation to DevOps, is not keeping
pace with modern software development or the threats presented by today’s cybercriminals.
A new approach to AppSec is needed—one that addresses business risk without impeding business progress, removes the false choice
between speed and security, and makes the promise of DevSecOps a reality.
As software development processes and tools become more modular, integrated, and automated, so too must the tools and processes used
to secure software. This is especially true for the security tools that are “shifting left” in the SDLC and reaching the developer’s desktop.
But DevSecOps isn’t simply about integrating and automating AST tools. It’s about intelligently running the right tests at the right time
and giving teams the ability to focus on the issues that matter most to their business. Organizations that succeed in these areas will turn
software security initiatives from a productivity inhibitor into a business enabler and competitive advantage.
| synopsys.com | 3
Empower Your Developers to Secure Code as Fast as They Write It
The lowest-cost vulnerability to remediate is the one that never makes it into the codebase. Giving developers tools that allow them to fix
issues before they commit their code to the build pipeline reduces strain on downstream testing.
But most developers are not security experts. And unfortunately, tools that are optimized for security teams are often too complex
and disruptive to be embraced by developers. To make matters worse, security tools often require developers to leave their integrated
development environments (IDEs) to analyze issues and determine appropriate fixes. But constantly switching tools and contexts is a
productivity killer.
Code Sight analyzes large codebases in seconds; it scans WebGoat in 3 seconds and Apache Hadoop in 10 seconds. It offers detailed
remediation guidance directly in the IDE, helping developers fix issues fast and improve code quality.
Code Sight’s integrated SAST automatically scans and analyzes source code and IaC files as developers work. It highlights detected
issues in the editor window for easy identification. Hovering over a highlighted line of code displays issue descriptions and remediation
guidance, allowing developers to fix many vulnerabilities with a single click.
Code Sight’s integrated SCA detects known security vulnerabilities in both direct and transitive open source dependencies. It identifies the
vulnerability as well as the Common Vulnerabilities and Exposures (CVE) and Black Duck® Security Advisory ID directly in the IDE. It also
provides severity information based on Common Vulnerability Scoring System (CVSS) scores to help prioritize which issues to fix first.
Remediation guidance helps developers select the next available vulnerability-free or lower-risk version of the component.
Code Sight is unique in that it embeds market-leading open source and code analysis technology, optimized for the speed requirements of
developers, directly within the tools they are already using. It proactively improves an organization’s security posture while saving time and
money.
| synopsys.com | 4
Run the Right Test at the Right Time
Choosing the right type of AST tool requires several considerations: the environment in which the tool is deployed, the types of software
flaws it searches for, the programming languages the vendor is compatible with, and the stage of the SDLC when testing is run. For this
reason, most organizations use a variety of AST tools, including proprietary and third-party/commercial dynamic application security
testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis
(SCA). According to ESG, 70% of firms use more than 11 AST tools, and 27% use more than 25 AST tools.4
Although many tools offer direct integration with DevOps pipelines, teams often struggle with the complexity and time lags this
automation introduces. Automating full scans with every build can clog pipelines and overwhelm developers with findings “noise.”
• Lengthy scan cycles. DevOps build pipelines run in a matter of seconds to a few minutes, but AppSec tool scans often take several
hours. Factor in multiple forms of analysis (SAST, DAST, SCA, etc.) and the problem is compounded, turning remediation hours into days
or even weeks.
• Too many findings. Integrating and automating full AST scans into continuous integration pipelines cause an overwhelming volume
(and duplication) of results, even if only small percentages are problematic enough to require developer attention. Teams get bogged
down in triage and remediation, leading to delivery schedules taking precedence over security concerns.
• Proliferation of tools and scans. Running multiple testing tools at different points of the SDLC can produce duplicate results that need
to be correlated and deduplicated later. Most teams fail to merge related findings, increasing the backlog of remediation activities.
ASTO tools integrate security tooling across the SDLC by acting as middleware between
• Development, including IDE, continuous integration/continuous delivery (CI/CD) systems, and bug-tracking
• Operations, including container orchestration engines and continuous configuration automation
• Security, including scanning tools and vulnerability management
Per Gartner, “ASTO solutions aid security, development, and operations teams in coordinating the many security tests that should be
performed on code. As such, these solutions can be a significant enabler in implementing DevSecOps initiatives, and they promise
substantial benefits in terms of more consistent testing and smoother operations.”5
In practice, ASTO solutions automatically run the right security tools or trigger manual testing activities based on the significance of code
changes, total risk score, and your organization’s security policies.
| synopsys.com | 5
Intelligent Orchestration by Synopsys
With Intelligent Orchestration, you gain the option of running your ASTO solution directly in the build/release pipeline; in a separate,
isolated pipeline; or through a separate execution environment. The isolated pipeline runs parallel to existing pipelines and integrates into
them via APIs (see Figure 1 below). You also get the added benefit of integrating with third-party tools, whether on premises or in the
cloud.
Intelligent Orchestration also allows organizations to set policies-as-code, defining the rules for which tests to run and when, and to enact
the policies programmatically via API. For example, you can set risk scores based on criteria such as whether an application is internet-
facing, business-critical, contains restricted data, includes critical open vulnerabilities, or has had significant code changes. You can
customize the score ranges and types of tools to run based on predetermined policies, compliance, and governance requirements.
Intelligent Orchestration can also initiate manual or out-of-band activities, such as code reviews and penetration tests, through existing
defect-tracking systems and communication channels. This enables security and development teams to implement coordinated
workflows that align security compliance objectives with application development and release milestones (see Figure 2 below).
Figure 2. Run the right test at the right time, as well as manual and out-of-band activities
• Developers spend less time chasing low-priority defects and more time fixing the ones that present the highest business risk
• DevOps engineers add security checks into their existing workflows without breaking them or slowing them down
• AppSec teams ensure compliance with risk policies and integrate manual and out-of-band activities with DevOps workflows
It’s no wonder that many security and development teams struggle to answer basic questions such as
• People. The responsibility for AppSec is split across many teams (Development, QA, AppSec, etc.) and even across projects. Each team
is often narrowly focused on its particular component or SDLC phase.
• Process. Manual activities like code reviews and penetration tests are often not coordinated with automated testing activities.
• Technology. Teams must pull findings from the multitude of AST tools they use, which categorize and prioritize findings differently. This
makes it difficult to manually normalize and correlate results between them.
AVC tools provide workflow and process management capabilities that help streamline vulnerability remediation in the SDLC by
normalizing AST results to a common nomenclature. They also correlate findings from myriad security testing tools and data sources
in a central repository, filter our duplicate results, and assess the exploitability and severity of a vulnerability, making remediation and
prioritization of security activities more effective. AVC tools optimize the triage process and reduce friction between security and
development teams by automating the process flow between people, processes, and technology.
| synopsys.com | 7
Code Dx by Synopsys
Code Dx integrates all your AST results into a centralized location and automates the most time-intensive tasks to speed up testing and
remediation (see Figure 3 below).
Code Dx
• Correlates results from all your AST tools (static, dynamic, commercial, and open source) into a single console
• Prioritizes vulnerabilities using machine learning to predict which vulnerabilities are most critical to your organization and
automatically sends high-priority ones to your developers’ issue-trackers (e.g., Jira) for remediation
• Tracks remediation activities in a system of record to manage accountability and assign tasks to specific team members
• Centralizes risk visibility to provide a 360-degree view of risk for all applications (custom code, third-party components, and network)
where your software resides
Code Dx fits seamlessly into the CI/CD pipeline, consolidating all your AppSec activities into a single place. Because Code Dx has two-way
integrations with issue-trackers like Jira, your development team never has to interact directly with any application analyzers.
ASOC solutions like Intelligent Orchestration and Code Dx provide the automation needed to scale security testing and identify and
conduct the most impactful security activities. This enables stakeholders across security and development to keep up with DevOps
pipelines, while still allowing granular control over each step of the process.
ASOC tools
References
1. Terry Ray, Billions of Compromised Records and Counting: Why the Application Layer is Still the Front Door for Data Breaches, Threatpost.com, June 8, 2021.
2. IBM.com, Cost of a Data Breach Report 2021, IBM, 2021.
3. Dave Gruber, Cracking the Code of DevSecOps, ESG, June 2021.
4. Ibid.
5. Ayal Tirosh, Hype Cycle for Application Security, 2017, Gartner, July 28, 2017.
For more information about the Synopsys Synopsys, Inc. U.S. Sales: 800.873.8193
Software Integrity Group, visit us online at 690 E Middlefield Road International Sales: +1 415.321.5237
www.synopsys.com/software. Mountain View, CA 94043 USA Email: [email protected]
©2022 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. March 2022
| synopsys.com | 9