Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | All-in-one cloud-based AppSec platform with Polaris
AppSec IDE Plug-ins | Secure code as you write it in your IDE with Code Sight
Software Risk Management | Correlate and prioritize AppSec risks with Code DX
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Find vulnerabilities in proprietary code during development with Coverity
Software Composition Analysis (SCA) | Find vulnerabilities in open source and 3rd party components with Black Duck SCA
Interactive Analysis (IAST) | Find and verify vulnerabilities during build and QA with Seeker IAST
Dynamic Analysis (DAST) | Automated web application security testing in production with WhiteHat Dynamic
Penetration Testing | Find business logic errors before hackers do
Protocol Fuzzing | Discover unknown vulnerabilities to prevent zero-day attacks with Defensics Fuzz Testing

Program Strategy & Planning | Measure, scale and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Education on coding basics and advanced skills to build secure code
Implementation & Deployment | Optimize utilization, management and deployment of tools
Security Testing Services | On-demand security testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A with Black Duck Audit Services

Manage software risk at the speed your business demands | automation with Genetec & Mateso

Dev and DevOps Teams | building security into your software development lifecycle (SDLC)
Security Teams | Are your AppSec tools, programs, and people equipped to secure all that software?
Legal Teams | Solutions to protect your IP, manage your risk

API Security Testing | with a holistic API security testing program
Application Security Testing | at every stage of the application life cycle
DevSecOps | Synopsys solutions help shift security left without slowing down your development teams
Software Supply Chain Security | Synopsys solutions help you identify and manage software supply chain risks end-to-end
Cloud & Container Security | secure deployment and operation in the cloud
Open Source Security & License Management | security and compliance for open source
M&A Due Diligence | identify software risks that could negatively impact the value of acquired IP
Quality & Security Standards Compliance | demonstrate compliance with specific standards to maintain customer trust and avoid legal or regulatory penalties

Financial Services | protect sensitive customer and financial data from rapidly evolving security threats
IoT & Embedded | ensure your embedded and IoT devices are safe, secure, and reliable
Automotive | build software security & reliability into the modern connected car
Telecommunications | we help you create seamless and safe mobile experiences, from silicon to software
Aerospace & Defense | solutions for automating mission-critical development
Public Sector | application security for government agencies and their suppliers
Medical Device | ensure your medical devices and applications meet patient expectations and comply with regulations

AppSec Program Strategy News | Get insights from Synopsys cyber security experts on building a security program
DAST News | articles about how to apply DAST effectively across your application portfolio
IAST News | articles from Synopsys cyber security experts to learn how IAST tools can grow with your needs
SAST News | articles from Synopsys cyber security experts to learn how to leverage SAST
Open Source and Software Supply Chain News | Discover supply chain risk management best practices from Synopsys cyber security experts
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices, from Synopsys cyber security experts
Security and Developer Training News | articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition News | Read SCA articles to learn how to manage the security, license compliance, and code quality risks that arise from open source in apps
Secure Software Development News | Read related articles from Synopsys cyber security experts
Security Risk News | Read articles from Synopsys cyber security experts to learn how to manage security risks
Security Research News | Get an analysis of today’s application security news and research from Synopsys cyber security experts

Case Studies | Application Security Customer Stories
eBooks | Discover the latest software security trends and best practices to ensure security in a DevOps environment while maintaining developer velocity
Glossary | Glossary of Application Security, EDA & Semiconductor IP
Reports | Discover the latest application security trends and best practices to ensure security in a DevOps environment while maintaining velocity
Webinars | latest & upcoming Synopsys Webinars
White Papers | Discover industry best practices to ensure security in a DevOps environment while maintaining developer velocity

Overview | leverages Synopsys’ expertise, technology, and resources to conduct high-quality software security research
Research | Get an analysis of today’s application security news and research from Synopsys cyber security experts

Press Releases | complete list of our most recent news releases

Intelligent Orchestration for Financial Services

The Right Security Testing at the Right Time

The challenge

Integrate application security analysis from multiple tools into the DevOps pipeline while maintaining development velocity. Develop a purpose-built, cloud-based CI/CD pipeline that automatically performs the right security tests at the right time based on software development life cycle events and defined policies.

The solution

Intelligent Orchestration from Synopsys is a risk-based and adaptive application security test orchestration solution optimized to match the speed of development teams while ensuring that governance, compliance, regulatory, and other policies are applied as required.

Imagine an automated application security test orchestration solution in which you configure the rules for the security testing applications you use, ensuring that you get the right analysis at the right time. An intelligent solution that understands code change significance, the risk profile of an application, and which security testing policies to apply for that application. An orchestration solution that automates the decision-making process on whether specific security testing should be skipped or applied—and that provides continuous feedback to your DevSecOps teams through notifications on Slack, Teams, Jira, or whatever platform you use.

This ideal application security test orchestration solution would be tool-agnostic and work with all commercial static, dynamic, interactive, and software composition analysis tools, as well as with open source tools such as OWASP ZAP, SpotBugs, and OWASP Dependency Check. And it’s extensible, scalable, and very adaptable. That solution is here today: Intelligent Orchestration from Synopsys.

Intelligent Orchestration: Experience guided by intelligence

“Application testing has to be fast, and it can’t be intrusive,” notes the senior technical lead of the application security initiative at a financial services enterprise, who asked that the organization not be named because of the sensitivity of the personal data it stores. “Most of all, developers don’t want time wasted on more security testing than needed.”

“What we need is the right test performed at the right time, getting the right amount of data, and getting that data at the right time,” he continues. “If you’ve made a trivial change to a web application—modified a CSS page, for example—another static analysis test probably isn’t needed at that time. If an open source dependency hasn’t changed, there’s probably no need to do an SCA (software composition analysis) scan.”

“We commissioned Synopsys consultants to help us develop an application security test orchestration solution that looks at the significance of code changes our developers make and the risk profile of the application they’re working on. In essence, we wanted to build an automated traffic cop to direct our security activities. What we now call Intelligent Orchestration moves those activities in the right direction without causing traffic snarls.”

“Moreover, Intelligent Orchestration is prescriptive. Think of a doctor visit. Rather than conducting an MRI scan each time you visit, a doctor evaluates your current state of health and then applies whatever treatment is needed. Maybe an MRI is in order; maybe a less dramatic solution is called for. The decision is based on the doctor’s experience guided by their intelligence. With IO, ‘experience’ equates to ‘policy’ and ‘intelligence’ to ‘code’.”

Security policy as code

All organizations have security policies that define rules. For example, “externally facing critical applications require a manual penetration test every 90 days.” In most organizations, those policies are enforced by a security group—sometimes one person—and it often tends to disrupt production schedules. Unless someone is keeping a close eye on the policies and is carefully synched with the DevOps team’s production pipeline, there’s often a last-minute scramble to meet the security requirements. “We only have four days to production. Who’s going to do a penetration test? Who’s going to do a manual code review within the next four days?”

With Intelligent Orchestration, security policy is translated into code and applied into a dedicated CI pipeline that runs in parallel with your existing build and release pipeline. For example, if the security policy requires a pen test for an application every 90 days, Intelligent Orchestration triggers a heads-up notification to the team after 80 days, or whatever time frame the policy indicates. Most organizations have some internal technology where they store their policies. Synopsys helps the client’s security team transform those manual policies into code that is enforced by the automated Intelligent Orchestration solution.

Results: Less confusion, less stress on resources

“Every time we have a release candidate or a pull request, it’s run through our application security test orchestration pipeline,” notes the senior technical lead of Synopsys’ FSI client. “The net benefit we’ve found is less extraneous testing, which translates into less data to manage, less confusion trying to reconcile data from duplicate tests, [and] ultimately less stress on our resources. Like most organizations, our resources are already stretched. Intelligent Orchestration has allowed us to focus on higher-value tasks.”

“When we onboard an application, we include its risk profile into Intelligent Orchestration. Things like: What data does it manage? Is it a long-running app or something that runs for a few milliseconds? What’s the attack surface? A low-risk application may not need to be run through frequent security checks. Intelligent Orchestration risk profiling also has become a big factor in our relationship with our auditors. It’s hard to defend decisions to an auditor without documentation on how those decisions were made. Intelligent Orchestration provides detailed application risk profile information, logs when and why a testing decision was made, and shows the outcome from that decision. It’s all documented—and that documentation sometimes almost gets us a smile from the auditor.”

Download the PDF

The customer

The company is a major financial services enterprise and Fortune 500 member with over $2 trillion in assets under management. Its databases hold sensitive personal information on millions of U.S. citizens. As with all members of the financial services industry, application security testing is critical for this organization—as is ensuring that developers aren’t slowed by the testing process.

The continuous integration / continuous deployment (CI/CD) environment includes:

Synopsys Black Duck® SCA to detect vulnerabilities in open source dependencies
Amazon Web Services cloud computing platform
Jenkins automation server for CI/CD builds, testing, and deployment
Micro Focus Fortify Static Analysis to detect security defects in proprietary code
Contrast Assess interactive application security testing for runtime security analysis
Prisma Cloud from Palo Alto Networks for preproduction container security image assessment
OWASP ZAP for dynamic security testing
Java, JavaScript, and Python coding languages