www.synopsys.com
Open in
urlscan Pro
104.111.217.93
Public Scan
Submitted URL: http://app.go2.synopsys.com/e/er?s=1061282284&lid=3981&elqTrackId=319032884BC54603D45EFF7FB87A51A5&elq=9c6ec502ef0a4eeaa6633...
Effective URL: https://www.synopsys.com/blogs/software-security/appsec-scalability-with-asoc-tools/?cmp=em-sig-eloqua&utm_medium=email&u...
Submission: On November 17 via api from SE — Scanned from DE
Effective URL: https://www.synopsys.com/blogs/software-security/appsec-scalability-with-asoc-tools/?cmp=em-sig-eloqua&utm_medium=email&u...
Submission: On November 17 via api from SE — Scanned from DE
Form analysis 4 forms found in the DOM
https://search.synopsys.com/
<form id="searchBox" action="https://search.synopsys.com/">
<input id="idSearch" name="q" type="search" class="search-Box ui-autocomplete-input" placeholder="Search for products and solutions" autocomplete="off" role="textbox" aria-autocomplete="list" aria-haspopup="true">
<button class="close-icon" type="reset"></button>
</form>GET https://www.synopsys.com/blogs/software-security/
<form role="search" method="get" class="search-form" action="https://www.synopsys.com/blogs/software-security/">
<input type="search" class="search-Box" placeholder="Search Blogs..." value="" name="s" style="border:1px solid #EFEFEF;">
<button type="submit" class="search-submit">Search</button>
</form>GET https://www.synopsys.com/blogs/software-security/
<form role="search" method="get" class="search-form" action="https://www.synopsys.com/blogs/software-security/">
<input type="search" class="search-Box" placeholder="Search Blogs..." value="" name="s" style="border:1px solid #EFEFEF;">
<button type="submit" class="search-submit">Search</button>
</form>Name: SIG-ShortForm — POST https://s1061282284.t.eloqua.com/e/f2
<form method="post" name="SIG-ShortForm" action="https://s1061282284.t.eloqua.com/e/f2" onsubmit="return handleFormSubmit(this)" id="form96" class="elq-form" target="hiddenFrame">
<input value="SIG-ShortForm" type="hidden" name="elqFormName">
<input value="1061282284" type="hidden" name="elqSiteId">
<input name="elqCampaignId" type="hidden">
<div id="formElement0" class="sc-view form-design-field sc-static-layout item-padding sc-regular-size">
<div class="field-wrapper">
</div>
<div class="individual field-wrapper">
<div class="_100 field-style">
<p class="field-p">
<input id="field0" name="emailAddress" type="text" class="field-size-top-large" placeholder="email" onfocus="this.placeholder = ''" onblur="this.placeholder = 'email'">
</p>
<span class="LV_valid2">Thanks for subscribing to the Synopsys Integrity Group blog. You’ll receive your welcome email shortly. In the meantime, please enjoy a complimentary copy of the
<a href="https://www.gartner.com/reprints/?id=1-27EFD5AY&ct=210909&st=sb" target="_blank" rel="noopener noreferrer">2021 Gartner Magic Quadrant for Application Security Testing.</a></span>
</div>
</div>
</div>
<div id="formElement101" class="sc-view form-design-field sc-static-layout item-padding sc-regular-size">
<div class="field-wrapper">
</div>
<div class="individual field-wrapper">
<div class="_100 field-style">
<p class="field-p">
<input type="submit" value="Get newsletter" class="submit-button newsletterSubscription">
</p>
</div>
</div>
</div>
</form>Text Content
By clicking 'I Accept' you agree to the storing of first- and third- party cookies on your device to enhance site navigation, analyze site usage, and assist in Synopsys marketing efforts. For additional information, please see the Synopsys privacy policy. * Silicon Design & Verification * Silicon IP * Software Integrity * About Us * Support * SolvNet Plus * Software Integrity Customer Community * Global Sites * 日本サイ ト * 中文网站 * 中文網站 * Русский * Clear All Synopsys Silicon Design & Verification Silicon IP Software Integrity About Us Support SolvNet Plus Software Integrity Customer Community Global Sites 日本サイ ト 中文网站 中文網站 Русский * Home * Software Integrity * Blog * Search * Managing security risks * Building secure software * Open source and software supply chain risks * Security news and research SOFTWARE INTEGRITY BLOG Search « Previous: Protect sensitive data with the… Next: Strengthen your cloud security… » ASOC SERIES PART 2: HOW TO SCALE APPSEC WITH APPLICATION SECURITY AUTOMATION Posted by Synopsys Editorial Team on Thursday, September 9, 2021 Learn how ASOC tools make scaling possible through application security automation and orchestration. In part one of our series on application security orchestration and correlation (ASOC), we looked at how this new application security trend improves DevSecOps efficiency. We will now focus on the typical challenges AppSec teams face due to today’s rapid development cycles, and how ASOC tools can solve these challenges with automation and scalability. THE PROBLEM: APPSEC CAN’T KEEP UP WITH DEVOPS Application security teams have often struggled to keep up with the rapid code releases produced by DevOps teams. Testing inevitably falls behind as development speeds up. It’s difficult to go back through the application code and remediate every possible issue later in the development cycle. Reviewing and fixing vulnerabilities in code that may have been written six months before isn’t easy, and developers typically don’t want to address code that works just because there may be a security risk. The result is that insecure software is often released, which increases the risk for a breach. The solution isn’t to slow down development so security can catch up; instead, successful application development demands a synchronicity between speed and security, with both speed and security getting the constant and equal attention they deserve. The harmonization between speed and security is the reason behind the shift to DevSecOps. Many companies are in the process of making this shift. A recent report from Gartner uncovered several key data points that demonstrate the acceleration in the transition toward this application security best practice: * 90% of software development projects will claim to be following a DevSecOps model by 2022 as compared to just 40% in 2019 * 70% of DevSecOps initiatives will incorporate automated security vulnerability and configuration scanning by 2023 as opposed to just 30% in 2019 * 60% of rapid development teams will have embedded DevSecOps practices by 2021, compared to 20% in 2019 These plans are promising, but a true DevSecOps approach that fully integrates security into the design and development process can be challenging for many organizations. Comprehensive application security testing is time consuming and resource intensive. Analysts must assess vulnerabilities across all attack surfaces, including custom code, third-party components, and the network where the software application will reside. AppSec teams need to run a variety of tools, including: * Static application security testing (SAST) tools * Dynamic application security testing (DAST) tools * Interactive application security testing (IAST) tools * Software composition analysis (SCA) tools * Threat modeling tools In addition to running the tools listed above, AppSec teams also use methods, such as: * Penetration testing * Manual code review * Network vulnerability analysis * Bug bounties These tools and reviews usually run at different times and frequencies, depending on where a given project is in the software development life cycle (SDLC). Many AppSec tools are complicated to configure and run. Onboarding and maintenance take time, and AppSec teams are encouraged to run multiple tools in the same category, such as multiple SAST tools and DAST tools. One software development project may require dozens of tools over the course of the SDLC, and each one has its own user interface (not to mention peculiarities). Oftentimes, the same tools are used on multiple projects, requiring multiple configurations. Tools that don’t integrate with each other give inconsistent results, with reports in different formats. It can take weeks (or longer) to identify false positives and to correlate and prioritize results. Additionally, many enterprises manage more than one build server. There may be hundreds of Jenkins servers, for example, in addition to multiple instances of TeamCity, Azure, and other services. It’s just not possible to bake application security into each one of these systems without orchestration. Compounding the issue is a low ratio of security team members to developers. Developers outnumber security team members at a ratio of 100:1. When you consider how quickly each developer works, security doesn’t have much of a chance to identify and remediate all the potential vulnerabilities. It’s no wonder AppSec can’t keep up with development teams and track vulnerabilities efficiently. THE SOLUTION: APPLICATION SECURITY AUTOMATION AND ORCHESTRATION WITH ASOC Organizations need a way to centralize and harmonize AppSec testing across all development pipelines into a scalable, repeatable, and automated process. This allows security to move at the speed of DevOps and stop clogging the development pipeline. ASOC is the solution to make automation and scalability possible. Since we already provided a close look at ASOC in the first post in our series, we will just focus here on the aspects that enable scalability. ORCHESTRATION Orchestration increases the speed of AppSec testing and ensures all the appropriate tests are run. Orchestration automates scanning processes to ensure specific tools are always run at specific intervals across multiple build servers. An ASOC tool analyzes the source code to identify the languages used, then automatically figures out the appropriate AppSec tools to run for a particular application. This creates a consistent and standardized process regardless of how many different development teams are working on various projects. Tool orchestration enables a standardized, automated process for AppSec testing, which makes it easier to onboard new applications into the security pipeline. It also reduces the time needed to install, configure, and update AppSec testing tools. In other words, orchestration lets AppSec teams scale up their testing activities as needed. CORRELATION AND DEDUPLICATION ASOC tools automatically run, collect, and correlate results from every type of AppSec tool and testing method, including manual reviews, bug bounties, source code analyzers, automated and manual pen tests, software composition analyzers, and network vulnerability assessors. This reduces the number of results AppSec teams need to review. PRIORITIZATION Smart automation allows the AppSec team to use previous raw results and remediation activity to select an optimal mix of security testing tools for each application. The rule set for each AppSec tool can be optimized for each development pipeline based on the criticality of the application, regulatory compliance requirements, and overall organizational capabilities. Code Dx Triage Assistant is an ASOC tool that further improves the automation process. A machine-learning classifier learns which issues and vulnerabilities to act on based on prior decisions. Triage Assistant is tailored specifically to each individual organization and reduces the number of false positives, noise, or less-important results security team members must sort through. Every 240 findings automatically categorized saves your organization the equivalent of one week’s time from a full-time employee. INTEGRATION AND CENTRALIZED MANAGEMENT ASOC tools provide full integration with DevOps, fitting seamlessly into the continuous integration/continuous delivery (CI/CD) pipeline. Integration with issue tracking tools such as Jira allows developers to work on remediation within their preferred work environment. Developers can get immediate feedback on security-related issues within the tools and environments they are already working in. An ASOC tool lets your AppSec team manage the passing of sensitive information such as tool credentials and application logins. It also monitors tool failures and ensures tools are properly configured and up to date. ASOC allows the AppSec team to report and audit all three attack surfaces (custom code, third-party components, and the network) in a centralized system. DevOps isn’t going to slow down, but ASOC tools make it possible for security to scale the AppSec process and move quickly without letting issues slip by undetected or unaddressed. Stay tuned for the final piece in our ASOC series, in which we will take a closer look at how ASOC improves the accountability of the AppSec process. LEARN HOW CODE DX’S ASOC PLATFORM CAN HELP YOUR APPSEC TEAM SCALE ON DEMAND Contact us for a demo This post is filed under Managing security risks. Synopsys Editorial Team -------------------------------------------------------------------------------- Posted by SYNOPSYS EDITORIAL TEAM SEE AUTHOR ARCHIVE -------------------------------------------------------------------------------- MORE FROM MANAGING SECURITY RISKS APPSEC DECODED: WHY BIDEN’S EXECUTIVE ORDER SHOULD BE ON YOUR RADAR Posted by Synopsys Editorial Team on October 28, 2021 * Public sector cyber security EQUIFAX, APACHE STRUTS, AND CVE-2017-5638 VULNERABILITY Posted by Fred Bals on September 15, 2017 CVE-2017-2636 STRIKES LINUX KERNEL WITH DOUBLE FREE VULNERABILITY Posted by Mike Pittenger on March 20, 2017 TRIAGE OPEN SOURCE VULNERABILITIES IN COVERITY CONNECT Posted by Synopsys Editorial Team on January 8, 2018 * Static application security testing Subscribe Thanks for subscribing to the Synopsys Integrity Group blog. You’ll receive your welcome email shortly. In the meantime, please enjoy a complimentary copy of the 2021 Gartner Magic Quadrant for Application Security Testing. Download the BSIMM12 report Related Tags * Application security orchestration and correlation * DevSecOps * Agile, CI/CD, and DevOps * API security testing * Application security best practices * Application security orchestration and correlation * Application security program strategy and planning * Application security threat and risk assessment * Automotive cyber security * Cloud cyber security * Container security * Cybersecurity Research Center * DevSecOps * Dynamic application security testing * Financial cyber security * Fuzz testing * Healthcare cyber security * Interactive application security testing * Internet of Things cyber security * Medical devices cyber security * Mergers and acquisitions due diligence * Mobile application security * Penetration testing * Public sector cyber security * Security and developer training * Software compliance, quality, and standards * Software composition analysis * Software Integrity Group’s products and services * Static application security testing * Telecommunications and network cyber security * Threat modeling * Web application security SEE ALL TAGS PRODUCTS * Software Integrity * Semiconductor IP * Verification * Design * Silicon Engineering RESOURCES * Solutions * Services * Support * Community * Manage Subscriptions CORPORATE * About Us * Careers * CSR Report * Inclusion and Diversity * Investor Relations * Contact Us LEGAL * Privacy * Trademarks & Brands * Software Integrity Agreements FOLLOW * * * * FOLLOW * * * * ©2021 Synopsys, Inc. All Rights Reserved