Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

AI-generated code | Harness the power of AI coding assistants while managing the risks
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Consolidation | Simplify your application security program
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source License Compliance | Effective solutions for ensuring open source license compliance
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

MEGA International:

Holistic Application Security with Coverity and Black Duck

The challenge: Examining the quality, security, and compliance of 5 million+ lines of code

MEGA’s flagship SaaS solution, the HOPEX Platform, enables organizations to plan and build upon their efforts around IT inventory, technical obsolescence, and IT strategy to manage governance, risk, and compliance; business processes; and data governance. “Our customers are major players, mainly in the financial and services industry, as well as government entities,” said Philippe Bobo, MEGA’s head of research and development. “All expect best-in-class security expertise and practices from MEGA, and secured code in our products and solutions.”

MEGA’s goal in working with Synopsys was to validate that the more than 5 million lines of code in its software were as free from flaws as possible despite decades of enhancements and refactoring. “Another priority was to assure secure management of the ever-growing number of external libraries incorporated in our code,” added Bobo. “This includes not only the libraries that we ourselves use, but also the libraries that they themselves may call. The dynamic hierarchy of dependencies can quickly become untraceable without a comprehensive and continually updated software Bill of Materials [BOM]. Lastly, we wanted to demonstrate to our SOC 2 auditors that our SaaS solution is securely managing data to protect the interests and privacy of our clients.”

Coverity gave us a code quality approach that was very efficient, especially given the multimillion lines of code that needed to be scanned."

The solution: Holistic application security with Coverity and Black Duck

“Synopsys is a well-known leader in security, with an understanding of what is crucial to our global market, especially as it comes to the highly regulated financial services industry,” said Bobo. “Partnering with Synopsys increases the credibility of our own security commitment.”

“Synopsys demonstrated a thorough understanding of our business, and particularly of the challenges [and] the large number of software assets, legacy code, and compatibility issues that a long-time quadrant leader like MEGA has to deal with. This understanding made the implementation of Synopsys Coverity® very straightforward.”

“Coverity had the widest coverage in terms of coding languages,” Bobo continued, “as well as a sharp approach to C/C++, with a highly satisfactory exception mechanism that would let us build a progressive picture of our code right from scratch, without being snowed under with a ton of alerts. This proved a key factor, as reliability was our main goal here.

“We also had a need to understand and manage the third-party components and libraries we were using in our code, especially when it came to open source, and to build a thorough Bill of Materials detailing those components.

“Synopsys Black Duck® SCA [software composition analysis] is the spearhead of our BOM initiative. Black Duck allowed us to quickly launch the exploration process and help us set alert priorities for a codebase that was becoming more and more complex. Time-to-value and completeness were our main goals here. Synopsys provided a very efficient and reactive consultant to help get us launched and to answer questions, and we became autonomous very quickly,” said Bobo.

Synopsys Black Duck SCA is the spearhead of our Bill of Materials initiative."

The results: 40K defects fixed, more than 1,700 open source components identified

“As we anticipated, the Coverity and Black Duck scans caught dozens of forgotten or overlooked weaknesses in our software. Specifically, Coverity uncovered weaknesses that could affect the stability of the software, and in some cases, cast a light on the root causes of long-time unexplained occasional outages. Our teams have fixed close to 40,000 defect instances detected by Coverity since we began working with Synopsys in 2017.”

“Using Black Duck almost immediately improved the level of control over our code by alerting our team to the security and license issues of some open source components,” Bobo said. “Although we knew we were using open source libraries, we were still surprised by the number of libraries that were ending up in our package. In fact, Black Duck identified over 1,700 external components, and 70 different license types.”

“Coverity and Black Duck allowed us to insert security and license compliance into the continuous integration process. Now, security and license noncompliance [issues] are raised to developers at the same time as functional or technical nonconformities, as a main contribution to our shift-left effort.”

“The tools have also helped improve the housekeeping of the code,” Bobo said. “Rather than fixing defects in legacy code that is not being used any longer, developers pare down their code. And rather than including new open source that requires legal approval of yet another license agreement, developers try to make more efficient use of already existing dependencies in their third-party components. When such approval is needed, the legal team directly connects to Black Duck.”

“We would recommend Synopsys as a provider of a comprehensive set of holistic, complementary AppSec solutions, backed by a pool of sharp consultants who understand globally the industries they work with, as well as an organization’s unique processes. For a B2B global organization like MEGA, it’s a must,” Bobo said.

Download the PDF

Company overview
Founded in 1991, MEGA International is a global software company that has been a recognized market leader for more than 10 years. A leader in enterprise architecture, IT strategy, and business process analysis, the company partners with customers to leverage technology to improve governance and accelerate transformation. MEGA helps companies better analyze how they operate and make the right decisions to accelerate the creation of value.

More Resources

Solution

Black Duck SCA

Learn more about Black Duck software composition analysis

Solution

Coverity SAST

Learn more about Coverity static analysis

eBook

Complement SAST With SCA for Open Source Management

Download the eBook