The word “rapid” has particular importance when it comes to what developers expect from application security solutions. Anything that slows down development efforts causes friction. Lightweight, immediate results are key to the adoption of AST solutions that enable meaningful and accurate remediation, not only for traditional vulnerabilities but also for misconfigurations that can expose weaknesses that can easily be exploited by hackers.
Static application security testing (SAST) and software composition analysis (SCA) scans are necessary as part of an organization’s AST program—they enable developers to get immediate results and accelerate remediation. Some studies have indicated that rapid, context-based scanning increases the fix rate by over 70% compared to traditional application security testing, where issues are returned developers even one day later.
Synopsys is focused on helping AppSec teams with broad and deep application security vulnerability coverage, while also enabling developers to find and fix issues quickly at the early stages of the software development life cycle (SDLC). This includes both open source and custom code, because to the developer, it’s all just code—they need to know what’s vulnerable and what can be done about it. Everything else is just noise.
Synopsys Rapid Scan works with Coverity® SAST and Black Duck® SCA tools to reduce that noise and friction for developers by providing fast results that enable them to take action early in the SDLC. The Rapid Scan SAST capabilities for Coverity leverage the new Sigma scanning engine to accelerate modern development and work seamlessly in the IDE (including Code Sight™ for Visual Studio, available in August 2021) and the CI/CD pipeline for automated, fast results. From JavaScript coverage to infrastructure as code and cloud-native application misconfiguration checkers, Coverity is quickly evolving to meet the next generation of SAST needs.
In June 2021, Synopsys announced cloud-native coverage for Terraform, Kubernetes, and CloudFormation, as well as new microservices configuration checkers. Output formats for SARIF and JSON make for easy actionability, and GitHub and GitLab support enable scans on pull request automation, including policy definitions. Check out this blog post for more insight.
Synopsys also announced the general availability of the Black Duck Rapid Scan feature in June 2021. SAST and SCA are the one-two AST punch developers require. With Black Duck Rapid Scan, developers gain early insight into dependency risk, using the Detect CLI or CI/CD tools such as Jenkins and GitLab. Developers gain immediate insight into vulnerabilities with scalable results—more than 30,000 scans per day. Scans can be performed before code commit/on pull requests, and full multifactor scans can be run again later with a full software Bill of Materials. This provides the right mix of speed and depth for organizations using Black Duck.
For too long, vendors have tried to change how developers work. This resulted in developers simply finding other options or worse: not doing any early security testing. With the recent uptick in security breaches—as well as regulatory changes and the ever-increasing speed of development—rapid scanning is the only way to ensure that security testing is integrated into an organization’s DevOps process. Application security means you need to enable and accelerate SAST and SCA scans for developers, and meet them where they are, from GitLab to the IDE. And automating the pipeline with capabilities like Intelligent Orchestration meets today’s and tomorrow’s rapid development needs.