How can development teams make SAST easier? By using a platform that’s fast, accurate, and flexible and integrates with the tools they already use.
Software developers are increasingly responsible for application security. Consequently, they need to find and fix software security issues early in the application development process. Static application security testing (SAST) is an essential tool to help them achieve this.
SAST tools can help teams produce better software. But they aren’t always easy or practical for time-crunched development teams to learn or use. Teams can’t use SAST solutions that delay release schedules or add friction and complexity to their existing processes.
To maintain development velocity, organizations need to make SAST easier. They need SAST solutions that are easy to deploy and operate. The Polaris Software Integrity Platform™ provides a software-as-a-service (SaaS) delivery model and a centralized web-based user interface for Coverity and other Synopsys application security products and services. As a result, customers can get up and running quickly and have a unified user experience when using multiple Synopsys solutions.
Coverity plugs into Polaris as an analysis engine that users can activate manually via the Polaris user interface (UI) or automatically via continuous integration (CI) tools. Onboarding new applications with Polaris is easy, so development teams can seamlessly scale their software security strategy depending on their changing needs.
Polaris provides security and development teams a centralized web-based UI. Here they can manage deployments, initiate security scans, analyze results, and coordinate remediation activities. The interface also provides automated reporting to show issues over time, compliance with OWASP Top 10 and CWE/SANS Top 25, and the most critical security risks per application.
Teams can filter and group business-critical security issues based on severity, compliance with security standards, CWE type, or technical risk. Doing so ensure that the most important problems are at the top of development’s queue. Managers can choose what to do with issues: automatically assign them to the developer responsible or manually triage groups of issues to specific developers.
Polaris makes it easier for teams to automate SAST with virtually any CI tool via a universal CI connector. This connector intelligently identifies the characteristics of the build environment, including programming languages and package managers. Then it automatically configures the appropriate integration. Thus, it’s easy for teams to add Coverity as a gate in their build pipelines. Doing so ensures that security defects are detected and flagged early and continuously as development progresses.
As part of the Polaris platform, Code Sight™ is an integrated development environment (IDE) plugin that conducts fast, incremental source code analysis in the background automatically every time a developer saves a file. There’s no need for any manual effort to configure or initiate a scan. On issue discovery, Code Sight provides the location, CWE, category, severity, and remediation guidance for each issue. That way, developers don’t have to leave the IDE to understand how to fix security and quality issues. Code Sight also provides a complete dataflow trace of the problem and recommends eLearning courseware based on the CWE. This information helps developers understand the cause of each issue and avoid such issues in the future.
As teams build their code, they can automate a full Coverity analysis with the build and CI tools that they already use, like Jenkins and Travis CI. With these integrations, the Coverity analysis engine first generates a high-fidelity build capture. Then it runs a deep analysis that examines more dataflow paths more thoroughly than other SAST solutions, delivering complete and accurate results. To further improve performance, development teams can configure Coverity to perform high-fidelity incremental analysis. Incremental analysis scans only code that has been added, changed, or affected since the previous analysis.
Most importantly, Polaris uses the same powerful Coverity analysis engine for all scans. By contrast, other solutions use a subset of rule checkers for local analysis and a more complete engine for centralized analysis. With Coverity on Polaris, teams can be confident that they will get consistent analysis results in both the IDE and the central build.
Coverity on Polaris provides a wide range of implementation options to make SAST easier. Teams can build their automated security strategy around their unique technical requirements, timelines, and personal preferences. This flexibility is critical for organizations working on multiple projects that may require varying technical or process requirements. By choosing from multiple software development life cycle (SDLC) integration points, scanning options, and deployment methods, development teams can fine-tune their approach to securing the SDLC on a per-project basis.
As a Product Marketing/Business Rotational Program Associate at Synopsys, Charlie will rotate through the sales, marketing, sales operations, and finance departments four months at a time. He joined Black Duck Software in July, before Black Duck Software was acquired by Synopsys. During his time in sales and marketing, Charlie has researched and learned about the importance of open source risk management—especially pertaining to container security and secure DevOps practices. While in marketing, Charlie has been helping with the launch of OpsSight, a product designed for IT Operations and Infrastructure teams hoping to automate security practices in the production environment. He holds a B.A. in Political Economy from Bates College.