Code Dx brings game-changing capabilities to Synopsys

Synopsys acquires Code Dx to extend application security portfolio. Code Dx adds software vulnerability correlation, prioritization, and consolidated risk reporting.

Today, Synopsys announced the acquisition of Code Dx, the provider of an award-winning application security risk management solution that automates and accelerates the discovery, prioritization, and remediation of software vulnerabilities. This acquisition not only adds critical functionality to advance Synopsys’s vision for application security, it provides our customers and prospects with a true view of the organizational risk associated with the security of their software.

Synopsys now provides the ability to intelligently orchestrate security tests from our own tools, third-party tools, and open source tools. We have the ability to correlate and prioritize the findings from more than 75 testing solutions and manual testing activities. Code Dx provides a consolidated view of all these activities as well as insights into organizational risk.

We believe these capabilities are a game changer—not just for Synopsys, but for the application security (AppSec) industry, and most importantly for our customers.

Introducing Code Dx by Synopsys

Code Dx falls into the category that Gartner calls application security orchestration and correlation (ASOC).

After examining the ASOC tools in the market, Synopsys concluded Code Dx has:

The most flexible architecture
The strongest correlation technology
The most integrations

At a macro level, we believe Code Dx’s design uniquely enables organizations to holistically manage their software risk.

It should be noted that Code Dx is a Synopsys technology alliance partner with existing integrations into the Synopsys portfolio. This means that our customers can realize immediate benefits from Code Dx. Furthermore, combining Code Dx with our recently announced Intelligent Orchestration solution creates the most comprehensive orchestration and correlation offering in the market. Like Code Dx, Intelligent Orchestration works with third-party and open source tools. The result is an exceptional set of solutions that efficiently and pragmatically integrate application security testing (AST) into DevOps workflows, enabling organizations to leverage their investment in AST tools of all types.

Code Dx provides several robust capabilities, including:

Correlates the output from all forms of AST—including static analysis (SAST), dynamic analysis (DAST), interactive analysis (IAST), and software composition analysis (SCA). Code Dx can also correlate findings from manual tests such as threat modeling. Many organizations use multiple testing tools, so correlating the findings makes addressing them more efficient and the view of risk more complete.
Offers more than 75 integrations developed in partnership with a wide variety of providers. Besides the integrations with traditional SAST, DAST, IAST, and SCA tools, Code Dx has integrations with cloud and container analysis tools, network scanning tools, mobile security tools, and issues trackers.
Tightly integrates with ticketing systems such as Jira to eliminate duplicate tickets and efficiently assign work to developers while providing consolidated data needed to ensure accountability.
Prioritizes findings based on policies, metadata about the application, and threat intelligence, applying integrated machine learning techniques in the process. The ultimate goal is to provide guidance on what to fix and in what priority to drive developer efficiency while reducing risk.
Uses consolidated test data to provide insights on risk across the application portfolio. This elevates the conversation around AST and AppSec from findings to business risk.

The big picture: What this means for Synopsys customers

Speed to market is the name of the game for our customers. Anything that slows them down or adds friction to the development process is a threat to their business. We recognize that, and we’re committed to helping our customers manage their software risk efficiently, holistically, and productively. The addition of Code Dx to our portfolio helps us achieve this.

There are three givens in today’s environment:

You must test your software as it’s the number one attack surface. To get a holistic picture of the security of your software, you must run multiple tests of different types, which creates a mountain of findings.
You must quicken the pace of development to match business velocity by enabling security without introducing friction. The testing of applications can’t bog down development workflows and inhibit efficiency.
You must protect developer productivity and avoid dumping the mountain of findings on them to fix. Instead, you must correlate the findings and prioritize them to ensure your developers are working efficiently to address the biggest risks.

Meeting all three of these demands requires running the right test, at the right time, at the right level, and then effectively correlating and prioritizing the results for remediation. Synopsys can now provide all of these for our customers, thus turning AST from a productivity inhibitor to an enabler. We can help increase developer productivity and allow DevOps to realize the efficiencies needed to drive business while minimizing organizational risk.

In doing so, we are creating the third generation of application security—or 3rd Gen AppSec. Gone are the days of siloed, monolithic solutions that brought development workflows to a halt. Gone too are the days of “good enough” testing that often created extraneous findings for developers to fix, ironically adding more friction and impeding their productivity. Instead, the next generation of AppSec takes a “just enough” approach to testing—one that aligns with the needs for key events in the DevOps workflow.

You can see why we at Synopsys are extremely excited to add Code Dx to our portfolio. The combination of our comprehensive set of AST solutions, including Intelligent Orchestration, and the addition of Code Dx equip us to better serve the requirements of organizations as they address the ongoing evolution of AppSec and application security testing.