Software Integrity Blog

«
»
 

Polaris and partners: Security superheroes

Posted by on Tuesday, March 26th, 2019

Synopsys partners with an extensive team to help all our customers build secure, high-quality software faster. Meet the latest superhero: the Polaris platform.

Synopsys partners and Polaris: Avengers assemble!

The excitement from the Feb. 25 announcement of the Polaris Software Integrity Platform™ continues to grow. One area attracting a lot of attention is the way Polaris integrates with our rich ecosystem of partners. Polaris provides value to our partners by combining the power of Synopsys Software Integrity products in an integrated, easy-to-use solution. The platform enables our partners’ customers to build secure, high-quality software faster.

Polaris platform integrations

Polaris integrations span the entire DevOps landscape, from the developer IDE and build systems to container orchestration and cloud deployment platforms. Integration points are available for both the instantiation of scans and the consumption of results. One way to instantiate scans is through the Detect connector, which unifies Synopsys scans under one umbrella. Consuming results is also very straightforward through Polaris REST APIs.

Polaris platform integrations

Polaris also integrates with stand-alone Black Duck instances. This means that all our customers’ current Black Duck implementations and integrations continue to hold value and provide benefits in the Polaris platform.

How Polaris integrates throughout the DevOps workflow

Let me explain a bit more about how Polaris integrates into each DevOps stage:

  • IDE plugin. The Polaris Code Sight™ IDE plugin uses the Coverity analysis engine to identify quality bugs and security vulnerabilities right in the integrated development environment. Code Sight is currently available for Visual Studio, IntelliJ, and Eclipse. We’ll add additional analysis engine and IDE support in the coming months.
  • Continuous integration. Development teams can run Coverity and Black Duck analyses through their CI tools by using the Detect connector for build and CI tools.
  • Repositories. “Repositories” is a broad category encompassing binary, source, and container repositories and registries. In the Polaris reporting module, users can combine Coverity findings with security findings from existing Black Duck integrations, such as the Black Duck Artifactory Plugin, GitHub Pull Request Scanner, and container registry images scanning for ECR, GCR, and ACR.
  • Container orchestration. In the Polaris reporting module, users can combine Coverity findings with security findings from either the Black Duck OpsSight connector for Kubernetes and Red Hat OpenShift or the Black Duck Service Broker for Pivotal Cloud Foundry.
  • Alerting and workflow. Teams can also create Jira or HipChat alerts based on findings, very similar to how those integrations work in Black Duck today.
  • Cloud platforms. Teams can deploy and manage their Synopsys application security tools on their own private cloud infrastructure.

Polaris as a platform for Synopsys partners

Here at Synopsys, we believe application security should be tightly integrated into the development and deployment tools our customers use today. That belief was top of mind when we were designing and building Polaris.

The set of Synopsys partners is diverse, spanning the DevOps landscape.

The set of Synopsys partners is diverse, spanning the DevOps landscape. Polaris provides each type of partner with a similar but slightly different value proposition and integration strategy. I want to highlight each one separately:

Development tool partnerships

Our dev tool partners provide the leading IDE, repository, CI/CD, and collaboration development tools. We want integration of application security into these tools to be easy for our customers. The Polaris platform provides a single integration point for multiple application security capabilities. Our AppSec offerings include static analysis (SAST), software composition analysis (SCA), and interactive application security testing (IAST). Imagine being able to connect all three through one command line tool. Think how easy it would be to get the results of all three scans through one REST API.

  • SAST, SCA, and IAST scan instantiation will all be part of the Detect connector (formerly Black Duck Detect). Detect is a well-known, mature multifactor scanning tool already used by most of our partners and customers.
  • The Polaris platform has a rich set of REST APIs that allow security and development teams to access and combine security findings from Coverity and Black Duck.

Synopsys has built and maintained over 50 partner solutions over the past two years. So we have a proven track record of building world-class integrations with our partners for our customers. Polaris provides a unique opportunity for us to evolve integrated application security in an easy and unified way with our partners.

Cloud partnerships

Polaris was built for the cloud. So Synopsys and our cloud partners can bring unified enterprise application security capabilities to our joint customers. This is true whether they’re already in the cloud or are planning to move workloads to the cloud. Polaris reduces barriers to cloud entry because it provides cloud-based application security tooling, helping to alleviate security concerns.

There are two key points to note for our cloud partnerships. First, Polaris is cloud-native and runs on Kubernetes. So our joint customers have great options for deployment in their private cloud or on-premises. Second, we’ll keep developing our current cloud development tool integrations—such as AWS CodeBuild, Google Cloud Build, and OpsSight for Kubernetes—to ensure they continue to provide value in the Polaris platform.

Polaris was built for the cloud.

Vulnerability management partnerships

At first glance, it may seem as if Polaris overlaps with our vulnerability management partners. On the contrary, Polaris provides a much more complementary solution to vulnerability management tools than first meets the eye.

Polaris unifies specific application security functions. But other security-related capabilities are not within the purview of the platform. These include network security and authorization. Synopsys values our vulnerability management partnerships because together, we can further broaden the security intelligence for our joint customers. Also, the Polaris platform simplifies the onboarding process for vulnerability management customers. Now they have only one plugin to set up for SAST, SCA, and dynamic analysis instead of three or more.

Integration for our vulnerability management partners is simple and works exactly the same as for our development tool partners. See the details above regarding Detect and the Polaris reporting REST APIs.

Global system integrator partnerships

Polaris enables our GSI partners in a couple of different ways than it does our other partners. All the same benefits and integrations discussed above hold true. They’re just integrated into our GSI partners’ on-demand application services and consulting expertise in DevOps, containers, and security.

Synopsys partners working together

OK, I may not be an actual superhero, but I gotta tell ya: I feel like I am when I assemble all our great Synopsys partners to continue developing solutions on the Polaris platform and to build new ones. Although it’s the end for some superhero teams, it’s just the beginning for unified, best-of-breed enterprise application security from Synopsys and our partners.

Learn more or become a partner

This post is filed under Application Security.
 

More by this author

Be the first to know

Don’t miss the latest AppSec news and trends every Friday.

Subscribe to the blog

 

BSIMM 11