AppSec tools are essential to creating secure applications and preventing data breach. But how do you integrate them effectively into your DevOps workflow?
To create enterprise apps that are secure before they hit the market, you need a whole garden shed of tools. You can’t tend a garden with a single bottle of pesticide. Likewise, there’s no such thing as an all-in-one testing tool that will magically yield secure software at the end of the software development life cycle (SDLC). Any vendor who promises otherwise is selling snake oil.
But now there’s something almost as good. It’s an all-in-one platform from Synopsys that integrates the multiple AppSec tools you need throughout the SDLC into one place, with a central server at the core.
The Polaris Software Integrity Platform™ addresses two major challenges in software development: It provides a seamless, cost-effective way for organizations to minimize risks from security defects in their software. And it does so without slowing them down.
In other words, it enables you to build secure, high-quality software faster.
The so-called AppSec toolbelt needed for secure software development is not something new. But the tools are constantly being improved. Synopsys has been building a complete suite of software testing tools over the past several years.
Tim Mackey, technical evangelist at Synopsys, noted in a talk at this year’s RSA Conference in San Francisco that there are “a lot of pieces to the puzzle.”
“Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers and preserves the teamwork, agility, and speed of DevOps and agile development environments,” he said.
He listed the DevOps processes that make use of those AppSec tools:
Polaris, which is cloud based but can be used on-premises as well, integrates many of those tools. It combines local analysis via the Synopsys Code Sight™ plugin, a central server armed with multiple analysis engines, and Synopsys Security Testing Services to show all types of risks identified in all your apps in a variety of ways, giving you a view of your application’s risk profile from every angle.
You could compare it to something much less technical—planning for your next garden. A variety of threats can weaken or destroy your harvest—weeds, insects, blight, marauding critters—and no single solution will curb them all. Insecticide won’t eliminate the weeds or prevent the blight. Fertilizer won’t wipe out the weevil.
To keep your garden green, you need to deploy a suite of coordinated measures throughout the growing season. In the same way, you need a series of coordinated AppSec tools throughout the “building” season—the SDLC—for your applications.
The Polaris platform offers a consolidated view of risks. And the Code Sight plugin enables development to detect and fix vulnerabilities earlier—in real time as they’re coding. Between the two, you’ll find it much easier to keep your application garden free of bugs and vulnerabilities.
Andreas Kuhlmann, co-general manager at Synopsys, describes Polaris as “the platform tying the pieces together, providing a comprehensive view of the software security and quality landscape, delivering a central point of management, and creating a unified view of risk across our customers’ software portfolio.”
Or as Ravi Iyer, senior director, product management, at Synopsys, put it in a podcast with Paul Roberts, editor of the Security Ledger, Polaris allows the integration of “all these fragmented tools … into a single experience.”
The Polaris platform doesn’t just integrate separate AppSec tools into a unified experience. It also pulls together fragmented teams whose members have a wide range of skills and experience. In landscaping, the teams applying fertilizer and herbicides, for example, have to coordinate their schedules to work together effectively. Otherwise, you might be left with a lawn full of thriving weeds and dead grass. Similarly, the Polaris platform supports the multiple teams involved in DevOps workflows by keeping them all up to date on the state of your application security.
“Software used to get written in silos,” Iyer said, which means different teams focused on design, writing code, quality assurance, system integration, and deployment.
“There was always this big wall between deployment and management software versus the actual development of software,” he said.
Today, “these groups are working very tightly together, collaborating, literally sitting across from each other. This is not just the development and build side but also the side that is deploying and operationally running the software,” he said.
“The build and the operation are literally being fused into one, which means you need a platform that they can all work on simultaneously.”
Yet another level of integration means that Polaris serves as a teacher as well as a toolshed for all your AppSec tools and services.
“Let’s say I’m writing code and don’t know what SQL injection is,” Iyer said.
“Code Sight will automatically identify it. It will provide me with suggestions on how to resolve it. If I don’t know what that problem is, I could quickly, in a micro, five-minute course, understand what SQL injection is and what are the better ways to solve that problem. That’s the level of integration that we have done on the eLearning side.”
Iyer calls it “the democratization of security. Security used to be managed by a single group that was like the gatekeeper of all applications that went out. That has proven not very effective. The burden of security is no longer just with that group. It is within the entire organization.”
The bottom line: To grow a successful garden, you need more than water and sunlight. You need a toolshed of solutions to detect and defeat the threats that could otherwise destroy it.
And when it comes to application security, Polaris brings together the entire toolshed of solutions you need. Start with one tool. Then add more AppSec tools and services as you need them. The whole time, you can continue using the same platform, with the same reports and integrations.
Polaris is easy to deploy and operate, offering short time to value and fast return on investment. Which, once again, means you can build secure, high-quality software faster. Our new Enterprise Application Security Buying Guide shows you how to build a powerful application security toolbelt.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.