In the Synopsys Software Integrity Group, we test all our products against one another—turning our security into a force multiplier for our customers’ security.
Here in the Synopsys Software Integrity Group R&D Department, we do a large amount of software testing to ensure the security and reliability of our products. Every person in the Software Integrity Group feels connected to this mission, and that gets baked into everything we do. We believe in our security testing products so much that we think they’re good enough to eat—meaning we eat our own duck food and use our own products in our testing life cycle.
Our risk-based approach considers every phase in the life cycle of our software so we can address security from every angle. Our innovative tools offer advanced protection against vulnerabilities, and we provide these products built with security in mind because we use the entire suite of Synopsys security tools and services.
One of the security activities that we take very seriously in the Software Integrity Group is verifying the security posture of the code that we didn’t write. We use Black Duck for software composition analysis (SCA) testing of all third-party libraries and open source software included in our products. By scanning our binaries and source code, we’re able to see the known security vulnerabilities in the current versions of these libraries, as well as the risk for potential license violations. From there, it’s just a matter of diligently making upgrades to these libraries using our vulnerability management process. We’re also able to systematically highlight and prioritize OSS code that will need to be phased out in future releases. Using Black Duck, we feel confident that we have all the information necessary to make informed risk decisions and stay one step ahead of the people who would try to break our products.
SCA is just one of many testing tools and services we use at Synopsys. Other tools and services include:
At Synopsys, security is central to everything we do. It’s our business philosophy, and it flows from our engineering and development culture into our core product and service offerings. Because of this, we can apply our own resources and experiences internally, turning our security into a force multiplier for our customers’ security.
Marisa Fagan is the product security lead for Synopsys Software Integrity Group. She works on empowering developers to build security into every phase of the SDLC. Previously, she worked as a security culture expert at places like Salesforce, Facebook, Bugcrowd, and Errata Security. She also builds communities in the information security industry around security research and vulnerability disclosures. She has shared her work in such forums as Black Hat, Security BSides, DEF CON, QCon, Summercon, and CactusCon.