Posted by Taylor Armerding on Thursday, March 28th, 2019
Want to know how to protect sensitive data? You need a solution to manage risk across your enterprise applications so you can secure them before they go live.
No organization wants its applications to contain vulnerabilities that enable the theft of its sensitive data. The potential for brand damage, legal liability, compliance sanctions, and loss of business could be crippling.
But no organization can spend all its time and money making its applications bulletproof either. Just like no homeowner can stand guard at the front door 24/7.
What they can do is manage the risk by using the right tools at the right time. For homeowners, the right tool is a lock—or multiple locks or even a home security system, depending on the neighborhood. And the right time to lock the door is every time you close it.
For organizations who develop software to enable their business, the right tools are application security testing solutions. And the right time to use them is throughout the software development life cycle (SDLC). To manage risk, you need to build security into your enterprise apps before they go into production.
That can be daunting. An effective software security initiative requires multiple types of testing done with different tools at different times during the SDLC. But Synopsys is now out with a platform that helps to solve the challenges of both security and speed.
It’s called the Polaris Software Integrity Platform™. It provides the tools you need in one place, with a central server at the core, to create enterprise apps that are secure out of the gate.
Just as important—it doesn’t slow you down. For Synopsys, helping organizations build secure, high-quality software faster is not just a slogan; it’s a mission.
Polaris helps you protect your sensitive data by showing you everything you need to know about your AppSec risk profile so you can fix vulnerabilities before your apps go to production.
Polaris is a cloud-based platform. But as Ravi Iyer, senior director, product management, at Synopsys, put it in a podcast with Paul Roberts, editor of the Security Ledger, while it is designed for the cloud, “it can also be run on-premises.”
“We recognize that not all our customers are in the cloud yet,” he said. “So Polaris is available in multiple deployment models. You can deploy it on-premises, you can run it on your own cloud offering, or if you want to consume it as a service from us where we run the cloud operation, we provide that as well.”
And instead of a different team having to perform AppSec testing as an extra step in the SDLC, Polaris integrates AppSec testing into CI/CD and DevOps workflows. Multiple integration options make it easy for users to protect sensitive data by rooting out vulnerabilities before their enterprise apps go live.
Andreas Kuehlmann, general manager of the Synopsys Software Integrity Group, said a core element of the Polaris central server is the Code Sight™ IDE plugin, which integrates into a developer’s coding workflow.
“The moment you save the file in the IDE, Coverity kicks off in the background and populates your screen with anything it finds,” he said. “So a developer can fix the majority of the defects earlier in the process when they are coding.”
What if the developer doesn’t know how to fix an issue? Code Sight can help with that too.
“Let’s say I’m writing code and don’t know what SQL injection is. Code Sight will automatically identify that I have written SQL injection code, and will provide me with suggestions on how to resolve it,” Iyer said.
“If I don’t know what SQL injection is, I could quickly, in a microcourse—a five-minute eLearning course—understand what it is and what are the better ways to solve that problem. That’s the level of integration that we have.”
That’s one of the ways Polaris helps protect sensitive data by improving both security and speed. The team doesn’t have to write the code, check it in, and build it to run security tests. They don’t have to get a report of results and then go back to the code to fix problems. Instead, developers get real-time assistance whenever they introduce a security issue into the code. It’s a bit like taking a test with a teacher looking over your shoulder, not only telling you which answers are wrong but also pointing you toward the right ones.
Besides that kind of real-time “coaching,” Polaris scales to cover all development teams and all applications.
“You could be a developer in a 200-person organization building a large application,” Iyer said. “You don’t want to be testing everybody’s code on your laptop. Once your piece is done, you want to test it, make sure you’ve written secure code, and then check it into the trunk.
“Then the security manager wants to assess the risk before releasing it into production with a central analysis on the entire application. That’s where Polaris comes in. Code Sight does microanalysis on individual developers’ stations, and central analysis is done for the entire application.”
In short, Polaris integrates with existing risk management infrastructure—there is no need to worry about missing something important.
Finally, Polaris will help you protect sensitive data by helping set priorities—in other words, managing risk.
Iyer said one of his customers has to oversee 400 applications. “There is no way to maintain any granular level with the problems of each of them,” he said. “Polaris has a reporting and a dashboard mechanism that allows the CISO to be able to say that ‘one is a mission-critical app, while vulnerabilities in another would cause less damage, so we can take a higher level of risk on that.’
“It helps you make decisions that are healthy for the organization.”
Get the latest AppSec news and trends sent directly to you.