Static application security testing
Static application security testing (SAST) is an integral part of AppSec. It performs a thorough analysis of the source code in a nonruntime environment and without executing it. SAST detects common to critical software security vulnerabilities and other quality issues early in the SDLC, which helps avoid costly changes later—potentially saving millions of dollars. Synopsys SAST offers multiple depths of secure code review, so you can tune the level of testing based on the risk profile of each tested application.
Dynamic application security testing
While SAST scans for security vulnerabilities and quality issues early on in the SDLC, dynamic application security testing (DAST) identifies security issues during runtime. Synopsys DAST utilizes market-leading automated tools to identify common vulnerabilities, such as SQL injection, cross-site scripting, security misconfigurations, and other common issues detailed in lists such as OWASP Top 10, CWE/SANS Top 25, and more. DAST also includes manual penetration testing to find vulnerabilities that can’t be found by out-of-the-box tools, such as vulnerabilities pertaining to authentication / session management, access control, information leakage, and more. Consultants perform a thorough review, identify false positives, and provide actionable mitigation and remediation strategies.
Network security testing
The network is one of the most exposed components of your infrastructure. Network devices, the Domain Name System, and servers should be periodically tested for vulnerabilities. Network security testing involves a thorough assessment of routers, switches, web servers, and firewalls. Synopsys experts utilize a combination of techniques, such as automated scanning and pen testing, to detect vulnerabilities, so you can rest assured that no stone is left unturned. The manual testing checklist includes test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, and others. Defects discovered are triaged manually by our experts and included, along with recommended fixes, in the final report.
Embedded software testing
Unlike traditional application software, which can run on a variety of computer systems, embedded software systems are designed to run on a unique individual device. Such a software system is restricted by its device’s memory, processing, and other requirements. The IoT, automobiles, consumer electronic devices, and medical devices are some examples of embedded systems. Initially commercial/ proprietary software was more common in embedded systems, but open source software is gaining popularity. However, while cost- effective, open source software comes with its own security and license concerns. Embedded software systems in general are far more complex than traditional application software. A lot of embedded devices are now always connected to the web by default (IoT) and they number in the thousands to even millions.
Testing and securing embedded software systems is crucial, as a breach could lead not just to financial and brand equity losses, but potentially also to loss of life. Due to the complexity, variety, and diversity of embedded software systems, it’s just not possible for an individual or even a small team of experts to know everything about them. Synopsys has a dedicated team of hundreds of embedded software security experts with decades of experience in testing and securing complex systems. Our embedded software testing process takes a risk-based systems approach and covers communication, client, and server analysis. This risk-based approach prioritizes and tackles the defects that matter most to your business.
Thick client testing
Thick or fat clients are self-sufficient and have their own operating system and software, which allows them to perform the vast majority of processing on their own. But because of the lack of general industry standards in thick clients, it’s easier for a hacker to find and exploit vulnerabilities in them. The most common vulnerabilities seen within thick clients are memory corruption, injection, cryptographic weaknesses, and client-side trust issues. These vulnerabilities can lead to a complete compromise of systems where the thick client software is installed, unauthorized access to server-side information, and more.
Thick client applications involve both local and server-side processing and often use proprietary protocols for communication. They may also contain multiple client-side components running at different trust levels. Simple, automated vulnerability assessment scanning isn’t enough. That’s why Synopsys consultants customize every thick client test to the individual application. The risk-based analysis focuses on the thick client software and the server-side APIs it communicates with. Each customized assessment includes automated scanning, configuration, network communication, server, and client analysis. Synopsys expert analysis ensures that your thick clients remain protected from attackers.
Open source audits
Open source has proliferated in virtually every sphere of software development. Most applications now either have some components of open source or have open source as their foundation. Open source, however, can come with significant security and licensing risks that if not handled correctly can lead to penalties and public embarrassment. It’s imperative to perform an open source audit to comprehend the open source license obligations, application security, and code quality risks that are not always evident.
An automated software composition analysis (SCA) scan that integrates seamlessly into the SDLC can help identify vulnerabilities that need to be addressed and aid with license compliance. However, some open source code can easily go undetected during an automated scan, so evaluating scan results requires expertise. The Synopsys open source audits team includes dedicated experts with decades of experience auditing open source software. They can help you detect and patch vulnerabilities hidden in your code and mitigate potential legal exposure by identifying third-party and open source code within your codebase.
Malicious code detection
Forrester predicts that “one-third of security breaches will be caused by insider threats in 2021.”2 Disgruntled developers may plant malicious code in your software system that they can exploit in the future. The problem with this kind of malicious code is that since it is planted by someone with intimate knowledge of the software system, the infected system can appear to be completely normal. Malicious code detection (MCD) finds suspicious constructs in production binaries, configurations, and data. It also (privately) identifies the malicious code that typical security tools can’t find, along with the insider threat actors. MCD provides expert advice on malicious code management and delivers vulnerability remediation strategies.