When it comes to implementing ASCDPM standards, we can provide the tools for software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST). With Black Duck coverage for SCA, Coverity for SAST, and WhiteHat™ Dynamic for DAST, Synopsys has a suite of tools to make sure you’re covered for nearly all CWEs included in the standard.
Black Duck’s SCA performs multifactor open source detection to give you complete visibility into the software components of any application or container. Meanwhile, Coverity SAST examines source code to find software flaws and weaknesses, DAST scans web applications from the outside to look for security vulnerabilities such as cross-site scripting, SQL injection, and command injection. SCA, SAST, and DAST are complementary yet different testing approaches that find different types of vulnerabilities.
Black Duck’s discovery technology lets you compile a complete software Bill of Materials (SBOM) of the open source, third-party, and proprietary software components used to build applications and containers. As part of this compilation, Black Duck can also alert you if the code in your SBOM contains vulnerabilities listed in the ASCDPM.
Coverity provides a fast, accurate, and highly scalable SAST solution that helps your development and security teams address quality and security early in the SDLC. This allows organizations to track and manage risks across their application portfolio, including those covered by the ASCDPM standard. In addition, Coverity also works with the Code Sight IDE plugin to deliver coding solutions right to developers so they can find and fix security and quality defects as they write code. Code Sight provides fast and accurate incremental analysis that gives developers real-time results, including CWE information, remediation guidance, and relevant security training, directly within the IDE. Coverity currently covers the nearly 90 CWEs disclosed by the ASCDPM with the exception of CWE-1051 and CWE-1058.
WhiteHat DAST allows you to safely scan applications in production without the need for a separate test environment. This ensures that you are testing exactly the same surface as the one exposed to hackers. WhiteHat also offers continuous scanning that detects and adapts to code changes, ensuring that new functionality is automatically tested, as well as personalized remediation guidance from a team of application security experts. This delivers a prioritized list of vulnerabilities, including many referenced in the ASCDPM, and the guidance to fix them.
While the ASCDPM is primarily designed as a source code analysis standard, it’s important to also test your applications from the implementation interface. WhiteHat provides detection coverage in dynamically testable areas and provides an important security augmentation to the SAST testing you’re already doing. And since WhiteHat DAST is language agnostic, there are no limitations when it comes to language support.
As the pace of digital transformation increases, so, too, do the attack surfaces that hackers can exploit. Standards like the ASCDPM are yet another tool that organizations can employ to ensure that they are protecting their data and the data of their customers. Data breaches are expensive in not only money but in development time and reputational damage. Synopsys can help ensure you’re implementing the ASCDPM across your SCA, SAST, and DAST solutions with solutions like Black Duck, Coverity, and WhiteHat. By building security into your software as quickly as you code it, you’re protecting your bottom line by building trust in your software – all at the speed your business demands.