Twenty years ago, software developers wrote most of their own code, maybe bringing in a few open-source libraries. Today, the situation is much different. Application developers use code from a variety of sources, and it's increasingly important to be able to protect the security and integrity of that code.
Synopsys has announced a major upgrade to its Polaris Software Integrity Platform designed to address that issue. It gives developers access to static application security testing (SAST) and software composition analysis (SCA) via the Code Sight IDE plug-in. SCA has become more and more important to code developers as they incorporate more open source code into their software.
Traditionally, developers use separate SAST, SCA and other app testing tools, but as open source has grown and software developers have embraced it, integrating these app testing tools makes sense, said Sandy Carielli, a principal analyst at Forrester Research.
"Ultimately it comes down to helping the developer quickly assess the security risk of their application, and being able to provide a unified view can be highly valuable," she said. "If developers have to use a bunch of tools outside of their standard lifecycle, it slows them down, and frankly, they aren't going to use them. It's critical that the security tooling allows them to respond to and fix vulnerabilities quickly."
By adding the Code Sight integrated development environment (IDE) plug-in to the platform, developers will be able to find vulnerabilities more quickly and choose the best fix for them. The plug-in provides detailed remediation guidance, directing developers to more secure component versions. Developers also can implement fixes all at once without interrupting their workflow for leaving the IDE.
This helps address the problem of finding defects and vulnerabilities late in the development process. When that would happen, developers had to take time out of their coding to fix and retest the code. They also had to leave their primary tool, the IDE, to analyze the issue and determine potential fixes.
"Developers are incented to put out code and delivery product quickly and efficiently, so they need application security tooling that aligns with the speed of development and integrates into their existing pipeline in a natural way so that they can identify issues and remediate them without introducing a lot of friction into their development process," Carielli said.
The new Code Sight IDE plug-in provides vulnerability information from Black Duck Security Advisories (BDSAs), independently researched by Synopsys, as well as public CVE records from the National Vulnerability Database (NVD).
In addition to vulnerability information, the Code Sight plug-in provides other information that developers can use to optimize component selection, including open-source license risks and potential security and license compliance violations of the organization’s predefined open-source policies.