Posted by on Wednesday, September 8th, 2021

Using the right AppSec tools and services throughout the software development life cycle can help you properly secure your sensitive data.

One of a CISO’s primary responsibilities is protecting their company’s digital assets, and adhering to current and emerging data privacy laws is crucial. Organizations must ensure that their corporate intellectual property and user data (e.g., customer, employee, contractor and/or prospect data) is safe from cyber attacks and data breaches.

CISOs must work with their colleagues in data protection, privacy protection, IT infrastructure, compliance, and software and system development to ensure compliance with data privacy laws.

Download the CISO’s Guide to Sensitive Data Protection

Because cyber attackers are becoming increasingly sophisticated in their attacks, organizations must secure entire systems of systems, the software supply chain, and software development workflows. Defining and building the design, workflows, and processes that ensure software and system security is essential. Key stakeholders in system architecture, security, software development, and IT infrastructure need to work closely together to perform comprehensive architecture analysis, threat modeling, and holistic system evaluation.

Best practices for securing software development and DevSecOps workflows include secrets management, automated AppSec tools for compliance with industry security standards and sensitive data detection, threat modeling, manual penetration testing of business logic, and customized intelligent orchestration and correlation of AppSec tools and services.

As data privacy laws and requirements change over time, the information that’s considered sensitive can change as well. Organizations must perform comprehensive data discovery and classification, and know where the data resides, so they can easily find the data when laws change. Organizations should also use AppSec tools that are flexible and can identify multiple types of sensitive data in source code, binaries, and all associated files such as HTML files, readme files, and firmware and containers. In addition, security and DevOps leads should use dynamic IAST tools that enable users to mark user-defined sensitive data types and automatically detect and track whenever this data exposed is exposed in a log, database, or file.

The Synopsys AppSec portfolio

Synopsys Software Integrity Group offers a broad portfolio of software security services and application security tools that help development teams identify and remediate security weaknesses and vulnerabilities throughout the application life cycle. Organizations can use Synopsys’ industry- leading application security tools themselves or supplement their security and development resources with Synopsys’ managed services or security program consulting.

The Synopsys architecture and design practice helps organizations identify missing or weak security controls, understand secure design best practices, and mitigate security flaws that increase the risk of a breach. Security services include security control design analysis, threat modeling, and architecture risk analysis. Synopsys also offers a Malicious Code Detection (MCD) service as well as security programs (e.g., Building Security In Maturity Model [BSIMM] and maturity action plan [MAP]) that enable organizations to define, build, and manage their own software security initiatives (SSIs).

Synopsys provides continuous access to security testing experts with the skills, tools, and discipline needed to cost-effectively analyze any application, at any depth, at any time. Managed security testing services consist of penetration testing, dynamic application security testing, static application security testing, mobile application security testing, network penetration testing, red teaming, IoT and embedded software testing, and thick client testing.

A modern approach to DevSecOps: Orchestration and correlation solutions

Code Dx: a continuous single pane of glass view of your most critical security risks

Synopsys’ Code DX application security orchestration and correlation (ASOC) solution automatically aggregates, normalizes, correlates and deduplicates security results from over 85 tools to provide a single, central, and prioritized view of the highest severity security risks that exist across organizations’ software projects. Code Dx can automatically run Synopsys AppSec tools as well as third party tools (SAST, DAST, SCA, IAST, bug bounty, network vulnerability analysis, container security, and manual code review). Results are prioritized based on a set of customizable rules and machine intelligence, filtering out noise and false positives and surfacing the most critical issues that should be fixed first. Tickets are automatically opened in bug trackers such as Jira, and remediation guidance and training are provided to developers. All executed tests, issue remediation and history are tracked in a comprehensive system of record for audit purposes.

Intelligent Orchestration for development at the speed of DevOps

Synopsys’ Intelligent Orchestration solution enables teams to integrate application security analysis into their DevOps pipelines while maintaining development velocity. Intelligent Orchestration supports Synopsys AppSec tools (e.g., Coverity® SAST, Black Duck® SCA, Tinfoil™ DAST, and Seeker® IAST) as well as managed services (e.g., threat modeling, penetration testing) and third-party tools (e.g., AppSec, GRC, and dashboarding systems). It automatically performs the right security tests at the right time based on user-defined policies, risk profiles, and severity/context-specific code changes that are user-defined in advance. Risk-based vulnerability and weakness reporting ensures that developers need only remediate the most important issues they are assigned to address, all within the issue trackers, development tools, and notification channels that they normally use. Reminders to do manual testing such as threat modeling, manual code reviews, or penetration testing can also be automated based on policies. Developers can integrate security analysis and results seamlessly into their existing development tools and platforms. Application security testing (AST) analytics metrics help identify gaps so that heads of development can understand the effectiveness of their AST and DevSecOps implementation.

A complete suite of AppSec testing tools across the SDLC

Synopsys application security tools have been recognized as leaders in industry analyst reports, such as the Gartner Magic Quadrant for Application Security Testing, The Forrester Wave™: Static Application Security Testing (Q1 2021), and The Forrester Wave™: Software Composition Analysis (Q1 2021). Synopsys products and services help development and security teams build secure, high-quality software faster.

• Coverity SAST. Coverity helps developers find and fix security defects early in the SDLC, with support for 21 languages and over 70 frameworks and template engines. Coverity has security checkers that identify hardcoded credentials, sensitive-data leaks, and unencrypted and inadequate encryption to help ensure compliance with OWASP Top 10 (web and mobile), CWE Top 25, PCI DSS, and other standards, as well as checkers for all the newest data protection measures.
• Black Duck SCA. Black Duck helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers across their software supply chain. Black Duck Binary Analysis scans binaries and all associated files (e.g., HTML files, readme files), firmware and containers, and surfaces information leakage data such as forgotten developer credentials, AWS keys, IP addresses, and clear-text passwords.
• Seeker IAST. Seeker helps development, QA, and security teams automate application security testing and identifies vulnerability and weakness trends against compliance standards (e.g., OWASP Top 10, PCI DSS, CAPEC, and CWE/SANS Top 25). Seeker actively verifies that identified weaknesses and vulnerabilities are exploitable. It uses patented technology that can reduce false positives to near zero. And its unique sensitive-data tracking feature automatically detects when user-designated sensitive data is exposed in logs, databases, or files.
• Tinfoil Web Scanner. Tinfoil Web Scanner dynamically checks for over 70 classifications of weaknesses and vulnerabilities, including the OWASP Top 10. It analyzes all facets of your site, logging into any website, including SAML/SSO-authenticated sites. Its sensitive-data content checkers scan for credit card number disclosure, source code repository disclosure, private IP address disclosure, email address disclosure (if an email address is harvestable by bots), and Social Security number disclosure.
• Tinfoil API Scanner. Tinfoil API Scanner detects weaknesses and vulnerabilities in any RESTful API, commonly used in modern web-based applications and sites, including mobile and IoT-connected apps. Tinfoil API Scanner also supports GraphQL APIs, scanning for GraphQL-specific vulnerabilities. It provides specific focus on the context of API authentication and more. Unlike other tools that serve more as a defensive protection mechanism, Tinfoil API Scanner allows you to perform proactive and intelligent fuzzing of your APIs.

Learn more about Synopsys’ Software Integrity Group solutions

Request a demo