Eating our own duck food: Software composition analysis in the Synopsys SDLC

Posted by Marisa Fagan on Wednesday, December 12, 2018

In the Synopsys Software Integrity Group, we test all our products against one another—turning our security into a force multiplier for our customers’ security.

Here in the Synopsys Software Integrity Group R&D Department, we do a large amount of software testing to ensure the security and reliability of our products. Every person in the Software Integrity Group feels connected to this mission, and that gets baked into everything we do. We believe in our security testing products so much that we think they’re good enough to eat—meaning we eat our own duck food and use our own products in our testing life cycle.

Our risk-based approach considers every phase in the life cycle of our software so we can address security from every angle. Our innovative tools offer advanced protection against vulnerabilities, and we provide these products built with security in mind because we use the entire suite of Synopsys security tools and services.

How we use Black Duck software composition analysis

One of the security activities that we take very seriously in the Software Integrity Group is verifying the security posture of the code that we didn’t write. We use Black Duck for software composition analysis (SCA) testing of all third-party libraries and open source software included in our products. By scanning our binaries and source code, we’re able to see the known security vulnerabilities in the current versions of these libraries, as well as the risk for potential license violations. From there, it’s just a matter of diligently making upgrades to these libraries using our vulnerability management process. We’re also able to systematically highlight and prioritize OSS code that will need to be phased out in future releases. Using Black Duck, we feel confident that we have all the information necessary to make informed risk decisions and stay one step ahead of the people who would try to break our products.

How we use our other offerings

SCA is just one of many testing tools and services we use at Synopsys. Other tools and services include:

Product-on-product (PoP) testing. Whenever feasible, Synopsys Software Integrity products are run against one another to identify new security vulnerabilities. This ongoing effort has been in place for many years and continually expands as we build and acquire new products.
- We use our Coverity static application security testing tool on our developers’ desktops via an IDE plugin and as a quality gate in our centralized build systems.
- We also use Defensics fuzz testing and Seeker interactive application security testing PoP tools when possible.
Internal security assessments. As part of the development of new applications and major new features for existing applications, we use our own consulting services team to conduct in-depth assessments, which typically combine penetration tests, code reviews, architectural risk assessments, and other tests.
Third-party security assessments. When the need arises, Synopsys Software Integrity Group contracts with third-party vendors to perform in-depth assessments on applications.

At Synopsys, security is central to everything we do. It’s our business philosophy, and it flows from our engineering and development culture into our core product and service offerings. Because of this, we can apply our own resources and experiences internally, turning our security into a force multiplier for our customers’ security.