Posted by Charlie Klein on March 5, 2019
How can development teams make SAST easier? By using a platform that’s fast, accurate, and flexible and integrates with the tools they already use.
Software developers are increasingly responsible for application security. Consequently, they need to find and fix software security issues early in the application development process. Static application security testing (SAST) is an essential tool to help them achieve this.
SAST tools can help teams produce better software. But they aren’t always easy or practical for time-crunched development teams to learn or use. Teams can’t use SAST solutions that delay release schedules or add friction and complexity to their existing processes.
To maintain development velocity, organizations need to make SAST easier. They need SAST solutions that are easy to deploy and operate. The Polaris Software Integrity Platform™ provides a software-as-a-service (SaaS) delivery model and a centralized web-based user interface for Coverity and other Synopsys application security products and services. As a result, customers can get up and running quickly and have a unified user experience when using multiple Synopsys solutions.
Coverity plugs into Polaris as an analysis engine that users can activate manually via the Polaris user interface (UI) or automatically via continuous integration (CI) tools. Onboarding new applications with Polaris is easy, so development teams can seamlessly scale their software security strategy depending on their changing needs.
Polaris provides security and development teams a centralized web-based UI. Here they can manage deployments, initiate security scans, analyze results, and coordinate remediation activities. The interface also provides automated reporting to show issues over time, compliance with OWASP Top 10 and CWE/SANS Top 25, and the most critical security risks per application.
Teams can filter and group business-critical security issues based on severity, compliance with security standards, CWE type, or technical risk. Doing so ensure that the most important problems are at the top of development’s queue. Managers can choose what to do with issues: automatically assign them to the developer responsible or manually triage groups of issues to specific developers.
Polaris makes it easier for teams to automate SAST with virtually any CI tool via a universal CI connector. This connector intelligently identifies the characteristics of the build environment, including programming languages and package managers. Then it automatically configures the appropriate integration. Thus, it’s easy for teams to add Coverity as a gate in their build pipelines. Doing so ensures that security defects are detected and flagged early and continuously as development progresses.
As part of the Polaris platform, Code Sight™ is an integrated development environment (IDE) plugin that conducts fast, incremental source code analysis in the background automatically every time a developer saves a file. There’s no need for any manual effort to configure or initiate a scan. On issue discovery, Code Sight provides the location, CWE, category, severity, and remediation guidance for each issue. That way, developers don’t have to leave the IDE to understand how to fix security and quality issues. Code Sight also provides a complete dataflow trace of the problem and recommends eLearning courseware based on the CWE. This information helps developers understand the cause of each issue and avoid such issues in the future.
As teams build their code, they can automate a full Coverity analysis with the build and CI tools that they already use, like Jenkins and Travis CI. With these integrations, the Coverity analysis engine first generates a high-fidelity build capture. Then it runs a deep analysis that examines more dataflow paths more thoroughly than other SAST solutions, delivering complete and accurate results. To further improve performance, development teams can configure Coverity to perform high-fidelity incremental analysis. Incremental analysis scans only code that has been added, changed, or affected since the previous analysis.
Most importantly, Polaris uses the same powerful Coverity analysis engine for all scans. By contrast, other solutions use a subset of rule checkers for local analysis and a more complete engine for centralized analysis. With Coverity on Polaris, teams can be confident that they will get consistent analysis results in both the IDE and the central build.
Coverity on Polaris provides a wide range of implementation options to make SAST easier. Teams can build their automated security strategy around their unique technical requirements, timelines, and personal preferences. This flexibility is critical for organizations working on multiple projects that may require varying technical or process requirements. By choosing from multiple software development life cycle (SDLC) integration points, scanning options, and deployment methods, development teams can fine-tune their approach to securing the SDLC on a per-project basis.
Get the latest AppSec news and trends sent directly to you.