The acquisition of WhiteHat Security, the leading the DAST solution provider, is a step toward a more comprehensive, end-to-end portfolio for AppSec.
Today, Synopsys closed the acquisition of WhiteHat Security, an application security pioneer and market-segment leading provider of dynamic application security testing (DAST) solutions. Jason Schmitt, general manager of the Synopsys Software Integrity Group, provided some insights into how WhiteHat™ DAST will fit into the Synopsys portfolio in an earlier blog post. Today I would like to concentrate on what it means to our customers.
According to the Forrester report “The State of Application Security, 2022,” applications are the most common attack vector, with “web application exploits” the third-most-common attack. Accordingly, it is imperative that organizations test their running web applications in the same way that attackers probe them, to identify and eliminate vulnerabilities before they are discovered and exploited by outside agents.
DAST is certainly not a new technology, and Synopsys already offers DAST testing to our customers. But WhiteHat brings an entirely new dimension to our DAST capabilities. Specifically, it brings the ability to safely scan production applications without the need for a separate test environment. This ensures that what is exposed to hackers has been tested as deployed.
This is a critical capability, as the primary objective of DAST is to test running web applications for vulnerabilities such as SQL injection and cross-site scripting. These common vulnerabilities that are exploited in production applications do not exist in source code; they arise only after deployed into production. This makes DAST an essential component of any application security testing program.
There is often confusion regarding the use of static application security testing (SAST) and software composition analysis (SCA) and the need for DAST. SAST and SCA test the application code and therefore discover a different set of vulnerabilities than DAST due to the fundamental differences in their approach. As such, most organizations utilize all three techniques at various points in the development process.
Historically, organizations have been reluctant to run DAST tests against production applications due to fears of data corruption from the DAST testing processes or impact to application performance. Instead, organizations often test the application in a production-like environment. But this opens the door for discrepancies between the testing environment and the production environment, which creates the potential for vulnerabilities to go undetected. The production testing capabilities of WhiteHat effectively eliminate this issues, empowering organizations to test their production systems.
WhiteHat DAST delivers the essential elements that make DAST testing an effective component of any testing regime.
Ten years ago SAST and DAST were the primary testing methods. They were the non-negotiables that every organization used to test their software. The rapid growth of open source quickly elevated SCA into the conversation, and now SAST, DAST, and SCA make up the “big three.”
With the acquisition of WhiteHat, Synopsys now offers SAST, DAST, and SCA solutions that are considered market leaders in their respective categories. There are other vendors that offer this, but often they concentrate on only one of the big three, and offer the other two as a side dish. I would submit that Synopsys now offers SAST, DAST and SCA as three main courses. And with the recent addition of Code Dx®, we provide a solution to aggregate, correlate, prioritize, and report against the findings from these solutions.
You can see why we at Synopsys are so excited to add WhiteHat DAST to our portfolio. WhiteHat DAST enables you to test applications at DevOps speed and enterprise scale, building trust into your entire software portfolio. WhiteHat DAST is production safe, so applications are tested in the same form that hackers approach them. The SaaS delivery and headless operation of WhiteHat DAST enables organizations to readily integrate DAST into their DevOps and application security testing processes. Remediation guidance ensures that prioritized findings can be addressed at the speed that business dictates.
Jason Schmitt is the general manager of the Software Integrity Group at Synopsys. He is a seasoned leader with a proven track record of deep technical knowledge, product development, insight into emerging and rapidly changing cybersecurity challenges, and go-to-market strategy and implementation. He brings more than 20 years of experience in security and enterprise product development and management. Prior to Synopsys, Jason served as the CEO of cloud security startup Aporeto, and vice president and general manager of Fortify and ArcSight at Hewlett Packard. Jason is a Louisiana native, who completed his bachelor's degree in Mechanical Engineering and master's degree in Computer Science at the Georgia Institute of Technology, and his MBA at Georgia State University’s J. Mack Robinson College of Business.