At Synopsys, we have the privilege of working with customers of all different sizes in a broad and diverse set of industries. Some of these customers release software once a year, some once a quarter, and others once a day. However, the customers that have really motivated us to be innovative in our product development are those that release—and perform SCA scans on—hundreds or thousands of applications a day.
To support these use cases—and to enable DevOps teams to transition into DevSecOps teams—Black Duck has always fit seamlessly into the development life cycle via integrations, with tooling used for development, builds, issue tracking, artifact storage, etc. Just last year, Black Duck introduced significant enhancements to scan speed, which means that security is never the bottleneck in the release process. In this latest release, Black Duck now gives teams the ability to visualize their scanning volume throughout the day.
Let’s say a company has a thousand SaaS applications in its portfolio, which, with the explosive adoption of microservices, is not all that uncommon. To stay on top of dependency upgrades, security patches, performance improvements, and bug fixes, this company releases several new versions of most of these applications every day. Even on a slow day, this means completing an SCA scan for each build and/or deployed artifact several hundreds of times. Given this release velocity, any process—including security—has the potential for becoming the bottleneck that slows everything else down.
To help mitigate this type of problem, Black Duck’s scan volume heatmap gives teams a literal picture of where their release process has the potential of being bogged down by SCA scans (see Figure 4). Should scan volume be extremely heavy one hour and very light the next, teams can take the steps necessary to reconfigure their pipelines and avoid slowdowns. Teams can also use the tool simply as an indication that additional instances are needed. Whatever the cause, software companies are moving at speeds never seen before, and Synopsys is determined to not let them leave security behind.