Software Integrity

 

Triage Protecode identified security vulnerabilities with Coverity’s secure development workflow

Triage Protecode identified security vulnerabilities with Coverity’s secure development workflow

The risk of open source and third-party code

In today’s fast-paced world with rapid technological advancements, few people need any introduction to the dangers of security vulnerabilities lurking in open source and third-party code.

Open source software has come a long way from being a techno-hippie dream in the late ’80s. Today, it exists nearly everywhere and is a pervasive component of all current major technological innovation. We find open source software components in our Linux operating systems, Apache web servers, Android mobile environments, and Hadoop big data frameworks, among others. Consequently, many companies, both enterprises and startups alike, must figure out ways to incorporate more open source modules into their proprietary code—or at the very least, expose capabilities in their software to interact with open source code.

But this transition toward the widespread use of open source code has not been without risks, and we don’t have to look far to understand that. In Sept. 2017, Equifax, a major consumer credit reporting agency and a Fortune 100 firm, was hacked by cyber criminals. Its data was compromised owing to a flaw in the open source software the company used, leading to severe financial repercussions for the company and loss of consumer trust.

The organizational imperative to manage risk when using open source code

In light of such imposing threats, companies are scrambling for approaches to better manage and use their open source and third-party code more securely. Synopsys has been helping companies manage risk and legal compliance with Protecode, an advanced automated software composition analysis tool. Protecode continually monitors and updates the ability to detect newer security vulnerabilities and license definitions for open source software. Organizations can also gain substantial efficiency by taking a two-pronged approach:

  1. Developers triage first. Developers are intimate with the code and possible attack surface vectors for software in development. Give them visibility into security vulnerabilities in third-party code, and the ability to actively triage code defects, as the first line of defense.
  2. Centralized workflow. Establish a centralized workflow where both IT security teams and software development groups/organizations have visibility into identified security vulnerabilities. This workflow allows them to adopt third-party code selectively and establish appropriate best practices and security policies.

Secure your workflow by integrating Protecode SC results into the Coverity database

Synopsys Static Analysis (Coverity) is a comprehensive static application security testing (SAST) platform that finds critical defects and security weaknesses in code before they become vulnerabilities or crashes, or degrade the overall quality of your software.

After listening to our customers’ needs and pain points, Synopsys has established a set of best practices and a workflow that integrates Protecode SC and Coverity Connect. Protecode SC identifies the security vulnerabilities, and the Coverity Connect interface is used to triage them. This approach makes it possible to customize triaging for specific software group needs, set up charts, track vulnerability trends, and establish a baseline to manage open source security vulnerabilities.

For groups who have already deployed the Coverity platform, the integration will be able to leverage an existing software development life cycle (SDLC) workflow around Coverity, saving time and cost. There’s no need for additional resources to design and set up a new workflow. In addition, team and company supervisors can simplify code complexity by using a common interface to monitor all security-related defects requiring developer attention. This ability is especially useful when open source code is spread across many applications and engineering divisions.

Results and impact

The Protecode SC / Coverity Connect integration is facilitated by Python scripts. Additionally, it can be deployed as a plug and play feature within any operating environment that supports Coverity Analysis. You can configure the integration results via the Coverity Connect interface, and you can also layer on custom features. For example, you can organize results with CVSS ratings and scores, and customize technical description to comply to a specific industry standard. You can also support more tailored workflows for individual development teams. In summary, the integration offers three key benefits for software organizations from a security standpoint:

  1. By using their existing Coverity deployment infrastructure, companies can establish an independent workflow that uses the established process for triaging defects.
  2. Both engineering and IT security teams can pinpoint with greater granularity the vulnerabilities that affect individual applications, and establish an action plan.
  3. The solution can be scaled to deploy on any number of servers and easily integrated with continuous integration (CI) and issue-tracking tools.

CVE-2017-10684 Detail

A sample customization

The interface links the identified vulnerability to the National Vulnerability Database (NVD) and displays relevant triage information, such as the CVSS score, rating, and so on.

Manage risk, costs, and compliance by building better software.

 Learn more