Building security into DevOps has its challenges. Address them with a modern approach to AppSec using Intelligent Orchestration and Code Dx.
As a kid, I was fascinated by superheroes like Spider-Man and Superman, and now as an adult I enjoy watching Wonder Woman. There is something about these movies—all the superheroes are unseen and come to the rescue at the right time, and once they have helped, they just disappear without even taking any credit. It made me wonder: why can’t application security be invisible to an organization and especially to developers? Why should developers care what tools we run, how and where we run them, or how they’re configured?
Developers need a prioritized set of security test results and guidance on how to fix them. Synopsys Intelligent Orchestration, along with Code Dx, provide just that. Let’s get started and dig deep.
Organizations in all industries are adopting DevOps practices and automation tools as part of their software development life cycle (SDLC). At the same time, they’re placing increased importance on application security. There are numerous security activities (automated and manual) that discover software security defects—bugs and flaws—such as static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), manual penetration testing, and many more.
Organizations have been reporting challenges related to security tools for years. The “DevSecOps Realities and Opportunities” report, based on research conducted by 451 Research (commissioned by Synopsys), identified some of the biggest challenges to DevSecOps. The results are shown in Figure 1, below.
Figure 1: The biggest challenges to DevSecOps, according to the “DevSecOps Realities and Opportunities” report
Read more about these challenges in a blog post I wrote.
Intelligent Orchestration helps address these challenges. It provides organizations with the ability to:
Code Dx by Synopsys works with Intelligent Orchestration to give organizations the ability to:
When you use Intelligent Orchestration and Code Dx together, you truly have a security superhero that is a game changer.
Figure 2: High-level architecture diagram of the Intelligent Orchestration and Code Dx integration
Let’s look through the steps shown in Figure 2, above:
Now that you have a basic idea of how Intelligent Orchestration and Code Dx work together, let’s go through each of the challenges and see how these security superheroes can work together and help an organization.
Intelligent Orchestration completely abstracts how security tools are integrated and configured to run scans. Organizations can configure application-specific details that pipelines use to run SAST, SCA, or any AST or vulnerability scanning tools underneath. Intelligent Orchestration can seamlessly run Synopsys tools, open source tools, or commercial tools, as shown in Figures 3 and 4.
Figure 3: An example of Synopsys tools used in the Intelligent Orchestration pipeline
Figure 4: An example of open source tools used in the Intelligent Orchestration pipeline
And when it’s time to replace a tool or integrate a new tool, the changes required are minimal and have little or no impact on your developer pipeline.
The only thing needed to switch from one set of tools to another is a minor change within the Intelligent Orchestration manifest file, as shown in Figure 5.
Figure 5: Intelligent Orchestration manifest file showing the minor change in toolchain using Synopsys tools
Figure 6: Intelligent Orchestration manifest file showing the minor change in toolchain using open source tools
Code Dx is now able to consume all the results from all automated scans that run as part of the Intelligent Orchestration pipelines, as shown in Figure 7.
Figure 7: An example of Code Dx consuming all the results from Synopsys tools and open source tools
Intelligent Orchestration streamlines vulnerability remediation by standardizing, filtering, and prioritizing security analysis findings. It then delivers them directly to the developers within their existing development and bug-tracking tools, so they can address security defects without disrupting their normal workflows.
Based on criteria set for notifying the teams when specific issues are found (as shown in Figures 8 and 9), the Intelligent Orchestration pipeline can break or pause the builds, send notifications, or even create defect-tracking tickets.
Figure 8: An example demonstrating SCA findings
Figure 9: An example demonstrating SAST findings
Code Dx also allows users to query for specific vulnerabilities, as shown in Figures 10 and 11. And through its extensive APIs and integration with the Intelligent Orchestration pipeline, it can break or pause the build, send notifications, or create defect-tracking tickets.
Figure 10: An example of Code Dx filtering results based on findings found by two tools: Coverity and Seeker
Figure 11: An example of Code Dx drilling down to detection method, type of tool, and severity
Intelligent Orchestration is a dynamic security pipeline that isolates security testing from the developer toolchain with a dedicated CI pipeline that integrates easily with your development pipelines. It triggers the appropriate automated testing activities with the right tools, at the right time, with the right depth, and notifies the right resources.
Intelligent Orchestration can also determine which scan actions or manual testing is required, based on actual code changes, resultant risk score, and corporate policies. If the code changes are minor, such as changing the font using CSS in an HTML file, the resultant risk score would be low, so no security scan tools would need to run at all, as shown in Figure 13 Scanning would be disabled, saving valuable time and resources.
However, if the code change was major and critical in nature, such as changing an authentication API, this would result in a high risk score, and multiple security testing scans such as SAST, SCA, and DAST would be enabled, as shown in Figure 12. In addition, this would also trigger manual code review and manual penetration testing as required actions.
Figure 12: An example of major code changes, enabling all AST activities
It is well-known in the industry that developers are not often security experts, and security teams are often not experienced developers. When security teams are delegated to triage, they often lack a full understanding of the application. Security defects are often rejected by developers as false positives.
With Code Dx, the correlation engine can normalize and correlate findings from multiple tools, so it becomes easy for security teams to triage in one place rather than doing this work on multiple tools and technologies, as shown in Figure 14.
Figure 14: An example showing issue drilldown for only the findings that are marked as new
When we push everything found by security scanning tools, we also push away developers. With Intelligent Orchestration, developers are given prioritized vulnerabilities determined by their organization’s security policies to fix (e.g., only critical vulnerabilities or only critical SQLi vulnerabilities), so they aren’t overwhelmed by analysis results. Some figures above showed the build broken based on SCA and SAST findings.
Development teams can also specify that any time a developer pushes a code change, for example, GitHub Actions will run. Developers are provided with all the information they need to understand how to fix identified issues and later merge the fixed code into the main branch— detailed descriptions, actionable remediation advice, file changed, line number, and the commit ID.
For example, when a developer checks in source files, Synopsys Intelligent Security Scan knows to run static analysis and push just the results that the development team cares about.
Figure 15 shows static analysis resulting in a total of 24 issues. In Figure 16, the code scanning alerts in GitHub Actions list just the top 11 issues. Which issues are prioritized is configured by the organization based on the issues the team cares about.
Figure 15: Static analysis scan identifying 24 issues within the build
Figure 16: Code scanning alerts in GitHub Actions list only the 11 issues the team is concerned about
With Intelligent Orchestration, security teams can easily configure governance and compliance requirements. If an organization needs to perform manual penetration testing every 60 days, a manual code review will be triggered for every major release. All these policies can be configured as policy as code and enforced within the pipeline automatically, as shown in Figure 17.
Figure 17: The Intelligent Orchestration pipeline triggers a manual code review for a major release, based on policies configured by the DevSecOps team
With Code Dx, it is easy to implement security gates based on configurable failing criteria or Code Dx Risk Score, as shown in Figure 18. Teams can query the risk score through the extensive APIs it provides, and allow the Intelligent Orchestration pipeline to pause the build, as shown in Figure 19.
Figure 18: An example of a Code Dx Risk Score based on configurable failing criteria
Figure 19: Intelligent Orchestration pauses the build based on information provided from the Code Dx Risk Score
Figure 20 shows the reasons why I think these two solutions combined create security superheroes.
Figure 20: The benefits of combining Intelligent Orchestration and Code Dx
This is just the beginning of what these superheroes can do for enterprise application security. Try Intelligent Orchestration and Code Dx now and see for yourself.
Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.