Forrester recognizes Synopsys as a Leader in static application security testing

Find and fix defects early in the SDLC when they’re easiest to resolve

The Forrester report noted that “Synopsys applies the power of mature SAST to deliver actionable results.”

Synopsys believes providing actionable results early in the SDLC and within common developer workflows is key to delivering secure code faster. Coverity scans can be run at various stages of the software development life cycle (SDLC), with native integrations into popular workflows that provide details on each issue, including description, severity, CWE data, and defect location, as well as detailed remediation guidance to help resolve issues as quickly as possible.

Integrations with code repositories, build tools, and CI/CD pipelines support a range of scan strategies to uncover issues before they impact release timelines. The Code Sight™ IDE plug-in extends Coverity capabilities to the desktop, empowering developers to write secure, high-quality code right from the start. Security and code quality defects are identified in real time, so they can be fixed before code is even committed.

Scans can be triggered on pull requests or when builds complete, enabling developer velocity while still ensuring comprehensive coverage, so no critical defects make it into production. Issues can be automatically created in your issue-tracking system (such as Jira), and even assigned to the developer who’s most likely to have introduced the defect, in order to accelerate the remediation process.

Prioritize the most important issues

Within the Current Offering category, Synopsys received the highest score in the Detection criterion.

We believe a key strength of our detection capabilities is the ability to produce highly accurate results that enable developers and security teams to focus on real issues, rather than spending time chasing false positives.

Coverity’s accuracy is driven by an in-depth model that’s built for every application, to provide a deep understanding of how it runs, along with insights into all dependencies and compilers, cross-file data flow, and control flow patterns. Support for over 20 programming languages and 200 application frameworks provides additional context that helps distinguish between false positives and real issues. This level of analysis enables Coverity to uncover complex issues that span multiple files and libraries across very large codebases.

Scan results are tuned for a high level of accuracy by default. This appeals to many teams that prioritize development velocity, but in some situations it’s preferable for scans to return a higher volume of results. In these cases, security and quality checkers can be configured to better align with the risk profile of each business or application.

Universal scan engine for any application

The Forrester report focuses on Coverity capabilities. However, all Synopsys static analysis offerings leverage the same scan engine to provide the highest quality scans to all applications, regardless of the environment.

• Polaris fAST Static has been optimized for DevSecOps teams and cloud applications, with fast onboarding capabilities, ease of use, and prebuilt integrations into key developer workflows.
• Software Risk Manager delivers static analysis as part of an application security posture management solution that unifies policy, test orchestration, and prioritization capabilities at enterprise scale.
• Code Sight provides real-time analysis of code right in the IDE, so developers can resolve issues as they write it, when it’s cheapest and easiest to resolve.

The use of a single scan engine across all these offerings gives customers the flexibility to run static analysis in the manner best optimized for their environments, while ensuring every application receives the best possible security coverage. Consistency is also improved, as issues viewed in triage include the same details and remediation guidance that developers see when working to resolve those issues in the IDE.

Empowering developers today and into the future

We believe our results in the Forrester report validate our approach to enabling developers and security teams to deliver secure, high-quality code for any application, as well as emerging use cases that could change what’s considered “code.”

Synopsys received the highest-possible score in the Roadmap criteria, and tied for the second-highest scores in the Vision and Innovation criteria. Among the areas that Synopsys has innovated in recent years is the ability to scan infrastructure-as-code templates to help DevOps engineers ensure their cloud infrastructure environments are configured properly and free of potential vulnerabilities.

Looking ahead, Synopsys will continue to evolve our SAST and other AppSec tools and services to provide our customers with the most holistic approach to software security, enabling them to deliver secure, high-quality applications at the speed their business requires and according to their own security policies and standards.