close search bar

Sorry, not available in this language yet

close language selection

What AppSec tools are in your DevOps toolshed?

AppSec tools are essential to creating secure applications and preventing data breach. But how do you integrate them effectively into your DevOps workflow?

What AppSec tools are in your DevOps toolshed?

To create enterprise apps that are secure before they hit the market, you need a whole garden shed of tools. You can’t tend a garden with a single bottle of pesticide. Likewise, there’s no such thing as an all-in-one testing tool that will magically yield secure software at the end of the software development life cycle (SDLC). Any vendor who promises otherwise is selling snake oil.

But now there’s something almost as good. It’s an all-in-one platform from Synopsys that integrates the multiple AppSec tools you need throughout the SDLC into one place, with a central server at the core.

The Polaris Software Integrity Platform™ addresses two major challenges in software development: It provides a seamless, cost-effective way for organizations to minimize risks from security defects in their software. And it does so without slowing them down.

In other words, it enables you to build secure, high-quality software faster.

Start building your application security toolkit with our free eBook.

Where AppSec tools fit into the DevOps workflow

The so-called AppSec toolbelt needed for secure software development is not something new. But the tools are constantly being improved. Synopsys has been building a complete suite of software testing tools over the past several years.

Tim Mackey, technical evangelist at Synopsys, noted in a talk at this year’s RSA Conference in San Francisco that there are “a lot of pieces to the puzzle.”

“Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers and preserves the teamwork, agility, and speed of DevOps and agile development environments,” he said.

Where AppSec tools fit into the DevOps workflow

He listed the DevOps processes that make use of those AppSec tools:

  • Development: coding in the integrated developer environment (IDE), risk assessment, threat modeling, lightweight static application security testing (SAST), and local unit tests
  • Build: SAST, software composition analysis (SCA), and unit tests
  • Testing: functional tests, load tests, performance tests, interactive application security testing (IAST), dynamic application security testing (DAST), and pen testing
  • Deploy: configuration tests, hardening tests
  • Production ops: network scanning, continuous monitoring
  • Feedback: threat intelligence, CVE reports, regulatory changes

Manage all your AppSec tools in a single toolshed

Polaris, which is cloud based but can be used on-premises as well, integrates many of those tools. It combines local analysis via the Synopsys Code Sight™ plugin, a central server armed with multiple analysis engines, and Synopsys Security Testing Services to show all types of risks identified in all your apps in a variety of ways, giving you a view of your application’s risk profile from every angle.

You could compare it to something much less technical—planning for your next garden. A variety of threats can weaken or destroy your harvest—weeds, insects, blight, marauding critters—and no single solution will curb them all. Insecticide won’t eliminate the weeds or prevent the blight. Fertilizer won’t wipe out the weevil.

No single solution will cure all the security ills in your garden of applications

To keep your garden green, you need to deploy a suite of coordinated measures throughout the growing season. In the same way, you need a series of coordinated AppSec tools throughout the “building” season—the SDLC—for your applications.

Get a centralized view of your whole risk landscape

The Polaris platform offers a consolidated view of risks. And the Code Sight plugin enables development to detect and fix vulnerabilities earlier—in real time as they’re coding. Between the two, you’ll find it much easier to keep your application garden free of bugs and vulnerabilities.

Andreas Kuhlmann, co-general manager at Synopsys, describes Polaris as “the platform tying the pieces together, providing a comprehensive view of the software security and quality landscape, delivering a central point of management, and creating a unified view of risk across our customers’ software portfolio.”

Or as Ravi Iyer, senior director, product management, at Synopsys, put it in a podcast with Paul Roberts, editor of the Security Ledger, Polaris allows the integration of “all these fragmented tools … into a single experience.”

Cultivate rich DevOps collaboration, not singular silos

The Polaris platform doesn’t just integrate separate AppSec tools into a unified experience. It also pulls together fragmented teams whose members have a wide range of skills and experience. In landscaping, the teams applying fertilizer and herbicides, for example, have to coordinate their schedules to work together effectively. Otherwise, you might be left with a lawn full of thriving weeds and dead grass. Similarly, the Polaris platform supports the multiple teams involved in DevOps workflows by keeping them all up to date on the state of your application security.

“Software used to get written in silos,” Iyer said, which means different teams focused on design, writing code, quality assurance, system integration, and deployment.

Cultivate rich DevOps collaboration, not singular silos

“There was always this big wall between deployment and management software versus the actual development of software,” he said.

Today, “these groups are working very tightly together, collaborating, literally sitting across from each other. This is not just the development and build side but also the side that is deploying and operationally running the software,” he said.

“The build and the operation are literally being fused into one, which means you need a platform that they can all work on simultaneously.”

Encourage continuous education with integrated eLearning

Yet another level of integration means that Polaris serves as a teacher as well as a toolshed for all your AppSec tools and services.

“Let’s say I’m writing code and don’t know what SQL injection is,” Iyer said.

“Code Sight will automatically identify it. It will provide me with suggestions on how to resolve it. If I don’t know what that problem is, I could quickly, in a micro, five-minute course, understand what SQL injection is and what are the better ways to solve that problem. That’s the level of integration that we have done on the eLearning side.”

Iyer calls it “the democratization of security. Security used to be managed by a single group that was like the gatekeeper of all applications that went out. That has proven not very effective. The burden of security is no longer just with that group. It is within the entire organization.”

Get an integrated AppSec solution that grows with you

The bottom line: To grow a successful garden, you need more than water and sunlight. You need a toolshed of solutions to detect and defeat the threats that could otherwise destroy it.

Plant the seeds for an integrated AppSec solution that grows with you

And when it comes to application security, Polaris brings together the entire toolshed of solutions you need. Start with one tool. Then add more AppSec tools and services as you need them. The whole time, you can continue using the same platform, with the same reports and integrations.

Polaris is easy to deploy and operate, offering short time to value and fast return on investment. Which, once again, means you can build secure, high-quality software faster. Our new Enterprise Application Security Buying Guide shows you how to build a powerful application security toolbelt.

Get the eBook

Taylor Armerding

Posted by

Taylor Armerding

Taylor Armerding

Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.

More from Security news and research