The 2019 Stevie® Awards have been announced. Two of our AppSec products made the final cut in the DevOps Solution category: Seeker and Black Duck OpsSight.
The Synopsys Software Integrity Group continued a winning streak last week with two new prizes—these from the 2019 American Business Awards.
The company’s Seeker® interactive application security testing (IAST) solution won a silver Stevie® Award, and Black Duck® OpsSight, which provides automatic open source vulnerability detection for container deployments, won a bronze. Both awards were in the DevOps Solution category.
These awards follow two major achievements in April, when Synopsys was recognized as a leader in The Forrester Wave™: Software Composition Analysis, Q2 2019, and placed at the top of the Gartner Magic Quadrant for Application Security Testing, based on ability to execute and completeness of vision.
The Stevie® Awards are named for the Greek word meaning “crowned.” The award ceremony will be at the Marriott Marquis Hotel in New York City on June 11. The DevOps Solution category recognizes outstanding individual application security testing (AST) tools.
Seeker IAST is designed to integrate seamlessly into CI/CD workflows. The solution closes a gap left by traditional static and dynamic security testing tools in the software development life cycle (SDLC), especially for teams adopting CI/CD and DevOps.
Anyone involved in the endless cat-and-mouse game between hackers and those trying to defend their organizations against cyber attacks knows that any undetected application security gap tips the balance in the wrong direction.
Kimm Yeo, senior product marketing manager at Synopsys, said that among the advantages of using Seeker is “the speed, accuracy, and scalability it brings to large enterprises with complex environments with hundreds of apps to secure and manage. Seeker integrates seamlessly in today’s modern but complex software ecosystem and complements both manual, functional test automation and CI/CD efforts.”
Asma Zubair, senior product management manager at Synopsys, added that many customers and prospects “have DevSecOps on their radar. They are aware of the need and are looking for solutions that integrate security testing in DevOps.”
She said Seeker practically eliminates false positives. “Sometimes real positives get lost and not acted on, just because of high false positives,” she said.
“IAST addresses that problem with automated, active verification. I have seen firsthand Seeker find critical vulnerabilities in applications that were being tested with traditional tools. Real vulnerabilities were either not reported, or they got lost in the loads of false positives.”
Noting Seeker’s capabilities as a tool for both security and development teams, one judge commented: “I am a big fan of any tool that [makes] software engineers’ jobs easier. This tool sits at the intersection between developer, release and security teams.” This collaboration between development and security is central to the design of both Seeker and the recently announced Polaris™ Software Integrity Platform.
Black Duck OpsSight is a part of Synopsys’ software composition analysis (SCA) solutions. Designed for the “Ops” portion of DevOps, it helps prevent known open source vulnerabilities from being deployed into production environments.
In particular, it helps organizations secure the development and delivery of software applications in containers by:
As one judge put it, “Open source security vulnerabilities are legendary; Black Duck OpsSight is their adversary.” Another called it a “useful and value-additive product in the world of containers.”
Neal Goldman, senior product management manager at Synopsys, said the award “validates what we’ve been saying about the importance of scanning all container layers for open source vulnerabilities—not just the code that the developers are writing.”
“People also need to scan containers for vulnerabilities that can be found in the operating systems and packages that get added to the container before it gets deployed,” he said.
“Likewise, it’s validating that it’s important to scan all your containers at run time, including those that you pull from other places like Docker Hub, so you capture all the vulnerabilities in your production systems, not just the ones that are coming from containers you created yourself.”