close search bar

Sorry, not available in this language yet

close language selection

Scalable SAST and SCA in a single solution with Polaris fAST services

Patrick Carey

Nov 08, 2022 / 5 min read

Fast. These days, it can be hard for us to agree on much of anything. But one thing that seems to unite us all is that when we want something, we want it now. And we need it fast.

Fast is definitely top-of-mind for anybody producing software. Delivery schedules are constantly being compressed, so anything that reduces the time for developer tasks is a good thing. But in software development, fast isn’t simply about the speed at which a particular function is performed. It’s also about

  • Simplicity. Developers are awash in complexity due to the sophistication of the software they are building, as well as the increasingly complicated and varied toolchains they work with. They need tools that simplify their work and minimize time lost due to context switching.
  • Scalability. Organizations are building a lot more software than they were even a few years ago. It’s not uncommon for teams to be managing hundreds or even thousands of concurrent development projects. It’s important for teams to have tools that can handle the volume of applications and releases they manage.
  • Power. They say nothing kills productivity more than rework. It doesn’t matter how fast you did something the first time if you have to go back and do it a second time. So although teams want tools that are fast and easy-to-use, they still need them to be powerful enough to do their job effectively the first time, to avoid rework.

For development teams, fast translates into simplicity, scalability, and power, as well as speed.

Introducing Polaris fAST services

With these needs in mind, today we are announcing the general availability of two new SaaS offerings, Polaris fAST Static and fAST SCA. Polaris fAST (fast application security testing) services are built on the same powerful analysis engines at the core of our market-leading products, integrated and delivered from the cloud via the latest version of our Polaris Software Integrity Platform®.

Scalable SAST and SCA Polaris Application Security Platform Overview for DevSecOps | Synopsys

Many teams have transitioned to cloud-based solutions for their development toolchains, from source code management, to build and integration, to packaging and delivery. The benefits of cloud-based solutions are well-known – lower costs, greater agility, and improved ease-of-use.

While these teams may also want to realize these same benefits for their AST tools, until now, most cloud-based AST platforms have required them to compromise on one or more of their core requirements. A platform that is easy to use might not offer sufficient power and capabilities to effectively identify security issues in complex applications. One that offers speed at small scale may not have the ability to grow to enterprise scale. And often, teams find that most cloud-based AST platforms are strong in static application security testing (SAST) but weaker in software composition analysis (SCA), or vice versa.

No need to compromise with Polaris

Our goal with Polaris is to provide teams with a no-compromise SaaS AST solution, and these new Polaris fAST services deliver on that goal. Polaris fAST Static uses the same fast and accurate analysis engines as Synopsys Coverity® SAST, the market-leader in SAST, which provide broad language support and fast incremental analysis that has been proven at scale in the world’s largest software development projects. Polaris fAST SCA helps teams stay ahead of their software supply chain risks by providing the same comprehensive open source knowledgebase and Black Duck® Security Advisories used in our market-leading SCA solution Black Duck.

With Polaris, teams don’t have to choose between a SAST tool that is fast, scalable, and covers the variety of languages and frameworks they use, and an SCA tool that gives them an accurate view of their open source risks with security advisories that are more timely, accurate, and actionable than the National Vulnerability Database (NVD). They get both. And they get them in a unified SaaS platform that is both easy for their team to use today and can scale to whatever capacity they need in the future.

Automate security testing and policy enforcement with Polaris DevOps integrations

Integration and automation define modern software development. Developer actions in the IDE, source code manager (SCM), and bug-tracking system trigger build, test, package, and deploy activities automated by their continuous integration (CI) system. Any tool that doesn’t fit seamlessly into this DevSecOps ecosystem creates friction, which can result in teams missing deadlines or skipping tests to keep on schedule.

Polaris offers DevOps integrations that enable teams to automate security testing with their existing workflows and tools. You can schedule recurring security scans that will automatically pull code from GitHub or GitLab repo for analysis. Or you can trigger scans based on events in Jenkins CI workflows. Teams can also upload code directly through the Polaris UI for ad hoc tests.

Polaris also streamlines vulnerability triage and remediation workflows by providing policies that can automatically notify teams or “break the build.” And Jira integration makes it easy to assign issues to developers for remediation.

Analyze security issues and trends across teams, applications, and scan types

Development teams carry the bulk of the responsibility for application security testing, triage, and vulnerability remediation, but the responsibility for overall AppSec program coverage and success generally falls to security teams, especially in midsize to large organizations. Polaris helps these teams monitor and manage testing across their organization with built-in reports and dashboards, giving them insights into

  • Vulnerability trends. Teams can identify AppSec hotspots in their portfolio with views that show vulnerability severity and type information across applications, projects, and test types.
  • Test status and performance. Teams get a real-time view of current and previous tests across applications, projects, and teams.
  • Admin changes. Admins can track configuration changes to ensure integrity of their test environments and assist with troubleshooting.

Optimize security testing with the help of Polaris value-added services

As an easy-to-use SaaS platform, Polaris is ideal for smaller organizations and teams that may have few, if any, experienced application security analysts on staff. To help these teams get the most out of Polaris and keep things running smoothly, Synopsys offers a number of value-added services. These include

  • Onboarding and adoption services, which help teams bring new applications and team members onto the platform quickly
  • Triage services to help tune and remove noise from scan results
  • Troubleshooting services that provide automatic monitoring and fixing of interrupted scans

So even if your team is small, our team has you covered.

Ready to learn more? Take a tour of Polaris with our team

Polaris and the Polaris fAST services are constantly improving. We’ll be adding new fAST services to the platform in the months to come, as well as advanced policy management, enhanced vulnerability prioritization, expanded integrations, and improved dashboarding and reporting capabilities.

With all these changes the best way to learn more about Polaris is to see it for yourself. Click the button below to schedule a time for a live demo.

Continue Reading

Explore Topics