close search bar

Sorry, not available in this language yet

close language selection

Global Elevator Industry Giant

Building a single source of truth with Code Dx

The challenge: Centralize risk visibility without compromising existing security activities

With an already established and mature security program in place, this elevator industry
giant lacked very little when it came to AppSec strategy and innovation. Instead, the
challenge for the solution design owner (the person responsible for implementing
application security services within the organization globally) was his lack of visibility
into existing security activity, success metrics, and reporting on relevant AppSec data,
compliance, and applications from a centralized location.

With varied tools from different vendors in use, reporting and scan results were
available in disparate locations and formats, hindering the comprehensive overview
of security activities needed to gauge efficiency and success. Org X’s solution design
owner found it “very difficult to get an overview of the status of risk in an application.”
On a granular level, it was nearly impossible to determine the security risk posed to any
single application. And from an organizational perspective, it was difficult to assess
overall application security health across the application portfolio as a whole.

Further complicating this challenge, security standards like ISO 27001 and IEC 64334
(an IoT security standard) introduced additional requirements. ISO 27001 mandates
that organizations produce evidence of scanning activity, along with information about
any remediation performed in association with those findings. Org X was required to
demonstrate that it had completed required scans, provide a summary of findings, and
present evidence of investigation into findings that merited remediation activity.

The company’s immediate need was a means of fulfilling these requirements while
also gaining necessary insight into overall security health, success, and efficiency—all
impossible without an automated, centralized source of truth.

The solution: Code Dx by Synopsys

Org X elected to introduce the Synopsys Code Dx® into its existing pipelines due to Code Dx’s ability to integrate all application security testing results into a centralized location, automate the most time-intensive tasks, increase the speed of testing and remediation, and provide the overarching visibility the company so greatly needed.

Code Dx correlates results from any number of AppSec scanning tools into a single console, making it easier to generate a normalized, central source of security data. Code Dx Triage Assistant uses machine learning to predict which of these findings is most critical to an organization, based on its business risk profile. Remediation and testing activities are recorded in order to ensure accountability between security and development stakeholders. As a centralized location providing risk visibility into all this critical information, Code Dx grants organizations an effortless 360-degreee view of risk for all applications, and serves as a system of record for all security activities.

A Synopsys customer since 2017, Org X began its implementation of Code Dx in 2022.

Org X cited its “great relationship [with Synopsys] from previous tool implementations” as its reason for selecting Synopsys to solve its visibility challenges. The company credited this existing relationship for “[making] it easy to start discussing [its] needs and licensing models,” and said it was able to “create a solution that is good and functional for [its] business needs.”

The results: A single, actionable, source of truth

Org X’s solution design owner set out to build a single source of truth for security findings, remediation activities, and reporting. Once Code Dx was introduced into the already thriving application security program, Org X was able to gather findings from across its application landscape into one centralized location. With Code Dx, it can now “collect and show [its security] activities across [its] application portfolio.”

Code Dx also fit nicely into existing pipelines; code is committed to version control, and pipelines are triggered that analyze it. Templates created with support from Synopsys help with integrations. After scans are complete, the native collector pulls in data from the newest report. An infrastructure-as-code scan report is sent to Code Dx as an API file, and Code Dx provides a comprehensive overview of all this collected data.

Org X also needed to gather vulnerability data from its wide range of platforms (Azure, AWS in GitLab, Azure DevOps, Jenkins, etc.). Code Dx was up to the task. It seamlessly fit into Org X’s existing tooling and processes, without hindering development or security activities.

Org X’s solution design owner reported “much better visibility about the security status of applications.” Equally important, Code Dx “triggered more communication with the teams about applications and that has improved [its configuration management database] data during the process.”

Code Dx gave us much better visibility into the security status of our applications. Additionally, Synopsys is great to work with, quick to answer our questions, and responds to service tickets quite quickly."

Solution design owner

|

Application security services

Company overview

Choosing to remain anonymous, we’ll call this global leader in the elevator and escalator industry ”Org X” for the purposes of this case study.