The Polaris platform integrates the Synopsys Software Integrity portfolio into an easy-to-use solution so you can build secure, high-quality software faster.
By Neal Goldman and Utsav Sanghani
We’re excited to introduce the Polaris Software Integrity Platform™, which brings the power of Synopsys Software Integrity products and services together into an integrated solution that enables security and development teams to build secure, high-quality software faster. Read the press release.
Enterprise web application development has exploded as organizations across industries use software as the core infrastructure to run their business and handle sensitive information. These organizations have enjoyed the benefits of digital transformation. At the same time, their growing dependence on web applications, coupled with an increase in high-profile security breaches, has made the task of securing web applications a top priority.
For this reason, development and security teams have been tasked with identifying and removing exploitable software vulnerabilities in web applications without sacrificing software development velocity. These teams have come to rely on application security tools to help them find vulnerabilities in development and production. However, the varying technical configuration, learning curve, and user experience of each tool can add significant friction and complexity to the development workflow.
This combination helps developers prevent security defects from entering the codebase, while central analysis helps ensure that any remaining defects are caught before the application goes to production. And by using the same powerful analysis engines for security scanning both on the developer’s desktop and at the central build, Polaris ensures consistent results throughout the development pipeline.
Polaris enables teams to tailor their application security toolkit to their specific needs by integrating any combination of Synopsys products and services—Coverity static analysis, Black Duck software composition analysis, Seeker interactive application security testing, Defensics fuzzing, and Security Testing Services—into a single platform they can reconfigure and scale as their needs change.
The Polaris user interface unifies the operation of our market-leading solutions so teams can easily identify, prioritize, and remediate software vulnerabilities across their application portfolio.
Development and security managers can quickly initiate scans on the central server, analyze results, and coordinate remediation activities. Teams can filter and group security issues based on severity, compliance with security standards (such as OWASP Top 10 and CWE/SANS Top 25), CWE type, or technical risk—ensuring the most important problems are at the top of development’s queue. With results from the various Synopsys products and services aggregated into one dashboard, security managers can easily see each project’s status and manage projects based on an overall assessment of application security risk.
Additionally, Polaris reporting gives teams insight into issue trends over time, compliance with security standards, and the most critical security risks per application. And Polaris REST APIs allow teams to integrate Polaris analysis data into their existing reporting tools and dashboards.
As part of the Polaris platform, Code Sight puts the power of Synopsys security analysis tools, including the deep analysis capabilities of Coverity, in the hands of developers. The IDE plugin automatically performs just-in-time code scans in the background, without disrupting users, when a developer performs actions such as opening, editing, and saving a file. By integrating scanning early in the software development life cycle, Code Sight helps reduce the number of security and quality issues in the code before it is merged into a source repository.
On issue discovery, Code Sight provides a detailed description of the issue, its category, related CWEs, its location, and remediation guidance. Developers can also view the dataflow trace of each security issue and main event. This information helps them accurately understand the root cause of the problem. To avoid introducing similar defects in the future, developers can navigate to recommended eLearning courses based on CWEs identified by Code Sight.
Code Sight is currently available for IntelliJ IDEA, Eclipse, and Visual Studio. Future releases will support additional IDEs.
The pace of software development is accelerating, and the task of ensuring that software isn’t vulnerable to cyber attacks is more complex than ever. The Synopsys portfolio of application security products and services combined with the Polaris platform helps developers keep pace while ensuring they create the most secure products possible.