CloudBees and Synopsys Integrate Security Into DevOps Processes

There is a natural synergy between CloudBees, the enterprise software delivery company that provides a leading DevOps technology platform for software delivery automation (SDA) and software delivery management (SDM), and Synopsys, a leader in application security (AppSec) testing that adds security to DevOps (DevSecOps).

CloudBees and Synopsys have partnered to help customers shift security left in their software development life cycle (SDLC), achieve compliance, eliminate data silos, increase productivity and time to market, enable scalability, and improve visibility and software quality through easy-to-use integrations.

Achieving compliance and eliminating tool and data silos

According to Anders Wallgren, vice president of technology strategy at CloudBees, organizations with release teams—especially those in governed industries like financial services, healthcare, automotive, aerospace and defense, and the public sector—are moving away from just attestation when it comes to security and open source compliance, and toward following a specific process and proving compliance. So systems must be able to inspect that evidence and validate that it happened. “Customers need to prove not only that they did it, but that they did it correctly. And that they looked at the results,” says Wallgren.

Wallgren also notes that technical, quality assurance, operations, product management, and support leaders in DevOps teams use best-of-breed, current tools throughout their SDLC, which is as it should be, but they face the challenge of tool and data silos. In other words, every time they need to answer a question or prove compliance with industry standards, they must jump between multiple tools to get the data they need.

The solution is to get all the data in one place so customers can get questions answered repeatedly and continuously, which is where the CloudBees platform and Intelligent Orchestration come in.

The CloudBees platform helps bring order to all the tools. The Synopsys Black Duck® and Intelligent Orchestration integrations enable a first-class code analysis experience inside CloudBees build and CI tools. All of which adds tremendous value for customers. For example, Black Duck can provide proof of the correct scan configuration, the outputs of that scan, and any mid- or high-level thresholds for specific open source requirements.

We've come a long way in DevOps and agile, tearing down the silos between organizations and their cultures. We look at this as one team—and we're here to solve a customer problem."

Anders Wallgren

|

Vice President of Technology Strategy, CloudBees

Marcus Grimaldo, director of technical global alliances at CloudBees, notes that many customers are already using the integrations between Black Duck and CloudBees.

Wallgren adds that integrations between the CloudBees platform and AppSec scanning tools like Black Duck are table stakes, especially for customers in governed industries. “The more that you can make the right way the easy, default way, the better. So the tighter these integrations are, the easier they are to deploy. It's there. It's in the pipeline. And we'll even go meta about it,” Wallgren says. Many CloudBees customers enforce meta policies to analyze code in all their pipelines, which means it’s important to not only have the security analysis integration, but to take it to the next level with the ability to verify that the desired analysis happened. “And I think that's really where CloudBees and Synopsys both benefit from having a tight relationship around those integrations,” Wallgren summarizes.

With the current trend of moving away from the world of attestation and into the world of proof, the real valuable integrations are the ones like Black Duck and CloudBees that are bi-directional, where customers get results back. They're testable, documentable, inspectable, and can track changes easily.

Sample Black Duck audit trail report displaying component changes

“These kinds of relationships and integrations put us in a position where we can really give our customers what they need and not just push the button for them, which is important,” says Wallgren. He adds, “Proving what happened, where it happened, how it ran, and what the results are is really where the lasting value comes. These valuable integrations become a core part of how customers operate and deliver software.”

Our integrations with Black Duck ultimately enable us to bring more value to customers by proving that things happened and not just saying they did. That’s kind of a big deal."

Anders Wallgren

|

Vice President of Technology Strategy, CloudBees

Shifting security left in the SDLC while enabling scalability and visibility

Wallgren points out that DevSecOps is hot now and changing the industry in the sense that security and quality are inextricably linked. DevSecOps is increasingly something that engineering teams, engineering managers, developers, and the developer community realize
the value of and the need to prioritize and incorporate into their process earlier—from the beginning—instead of sprinkling it on at the end as an afterthought.

For example, the financial services industry is a big adopter of DevOps and agile, but everything it does must be auditable, controllable, and governable. Wallgren says that one of their largest customers in the finance industry refers to this as “policy as code.”

And organizations want to shift governance left in an organizationally scalable way. From a security perspective, they need to delegate authority by teams instead of having one team with visibility over everything, which can create a bottleneck. “It's one thing to do this when you've got a team of 20 developers. It's another thing to do it when you've got 500 teams each with 50 developers on them, and to be able to do it at that kind of scale,” says Wallgren.

Once employees start to see that their peers and other teams in their organization prioritize security, the bar is raised. Organization-wide visibility and transparency of security practices can help demonstrate to laggards that it’s something you must do, and not something that some do for extra credit.

Wallgren further notes that organizations that prioritize security want to do this “as code” because code can be inspected, tested, and documented. To close the loop, they must focus on not just the security of their code or third-party code, whether it's open source or commercial, but also on the security of the systems they use to build, test, qualify, release, and deploy their code. So the pipeline itself must be secure.

In addition, one of the largest CloudBees/Synopsys joint customers says that when it’s running security scans, it doesn't want just anybody in the organization to be able to change those configurations. Intelligent Orchestration allows customers to say that not only are they making sure their code is secure, the pipeline itself is secure. Wallgren adds, “It's no longer good enough to be secure only at the border. You must be secure in the interior as well.”

Implementing Intelligent Orchestration by Synopsys in CloudBees CI

Increasing productivity and speeding time to market

The feedback CloudBees gets directly, anecdotally, and empirically is that shifting security left in the SDLC is a huge win for customers.

A big concern for DevOps customers in a governed industry is that adding security to the pipeline to comply with governance requirements will make the software development process slower and less efficient. So looking at how security impacts cycle times is important.

For example, a joint customer in the aerospace industry cut its cycle time in half. Aerospace organizations must justify every single code change, including tracking it back to who requested it, who did it, how it was tested, and how it was documented. They were spending as much time at the end of a sprint pulling together data as they did for the entire sprint. “And we basically got that down to a matter of hours instead of weeks,” says Wallgren. Because they’re collecting all the information in a report, “it's not only enabling them to achieve compliance, it's also vastly accelerating the process by collecting that information as a side effect of doing all of the orchestration around that software delivery pipeline.”

For a joint aerospace customer, we cut their cycle times in half—hours instead of weeks."

Anders Wallgren

|

Vice President of Technology Strategy, CloudBees

Once customers realize how much time they can save, they start to imagine all the opportunities the time savings represent to optimize their value stream. Where could they spend the extra time and money? Do they want to ship more product, ship the same amount sooner, or ship a higher-quality product in the same amount of time?

Looking to the future of DevSecOps

Grimaldo agrees with Wallgren that DevSecOps is a hot topic at the forefront of every company’s agenda, and that it’s not going away. The value of the partnership between CloudBees and Synopsys, the technology, and what that means for customers and partners alike includes helping influence and drive revenue.

Grimaldo adds that DevSecOps is an inside-out approach that gets to the heart of the problem instead of just the periphery. “DevSecOps is so important when we think of Intelligent Orchestration, scalability, and all of those things that matter,” he says.

Synopsys was one of the launch partners for the CloudBees Technical Alliance Partner Program, and CloudBees is a Synopsys technology alliance partner. “Synopsys has been great because it is a powerhouse in the AppSec industry. And it's pretty phenomenal to have the weight of a US$3.7B company teamed up with us so that we can go to market and create more stickiness in terms of the industry and globally. The whole team has been excellent and we're excited to have Synopsys as part of the team,” concludes Grimaldo.

Challenge

Developers and release engineers must achieve compliance while maintaining agility.

Solution

Joint build and CI integrations:

Benefits

  • Easy security scan integration into pipelines
  • Modular open source code analysis with minimal adjustments
  • Quick view of open source compliance and security state