Synopsys announces security testing for open source and proprietary code
As part of the update to the Polaris Software Integrity platform, Synopsys extends the capabilities of its static application security testing (SAST) and software composition analysis (SCA) capabilities to the developer’s desktop through the native integration of the Code Sight integrated development environment (IDE) plug-in. The aim, says Synopsys is to enable developers to proactively find and fix security risks across third-party and custom components
The SAST and SCA capabilities, claimed to be the first of their kind, will enable developers to proactively find and fix both security weaknesses in proprietary code and known vulnerabilities in open source dependencies simultaneously, without leaving their IDE.
Simon King, vice president of solutions at the Synopsys Software Integrity Group, explained: “By providing real-time SAST and now SCA results together in the IDE, Synopsys enables developers to detect security defects in both their own code and the open source components they leverage – as they build their applications. Developers can fix problems in real time, avoiding the risks and loss of productivity when issues are allowed to go undetected for days, weeks, or even months after they’ve moved on to other tasks. With this release, the native integration of the Code Sight IDE plug-in enables developers to build secure, high-quality software faster.”
The Code Sight SAST capabilities were first introduced in 2019. This release builds on them and introduces the ability to analyse declared and transitive open source dependencies, flagging components with known security issues alongside SAST findings in the IDE.
With the new SCA capabilities, developers can review known vulnerabilities of flagged components to verify the risk and determine remediation options, without leaving the IDE.
The Code Sight plug-in provides vulnerability information from Black Duck Security Advisories (BDSAs), researched by Synopsys, as well as public CVE records from the National Vulnerability Database (NVD).
BDSAs provide developers with more timely, accurate, and thorough risk and remediation information than is available in the NVD, helping them find and fix vulnerabilities faster and more effectively, says Synopsys.
The Code Sight plug-in also helps developers quickly identify and select the best fix for vulnerabilities by providing detailed remediation guidance, directing them to more secure component versions. Developers can implement fixes immediately without interrupting their workflow or leaving the IDE.
The Code Sight plug-in also provides information developers can use to optimise component selection, including open source license risks and potential security and license compliance violations of the organization’s pre-defined open source policies.