During a recent webinar, Jonathan Knudsen presented: "That's Not How This Works: All Development Should Be Secure." Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Webinar attendees will learn: • Why traditional approaches to software development usually end in tears and heartburn • How a structured approach to secure software development lowers risk for you and your customers • Why automation and security testing tools are key components in the implementation of a secure development life cycle For more information, please visit our website at www.synopsys.com/software-integrity.html

1. Utsav Sanghani, Senior Product Manager, Synopsys
Anna Chiang, Senior Product Marketing Manager, Synopsys
DevSecOps and Application Security Best Practices
Guide to Application Security: What to Look For and Why

2. © 2020 Synopsys, Inc. 2
Digital transformation of enterprises

3. © 2020 Synopsys, Inc. 3
Organizations are becoming software companies

4. © 2020 Synopsys, Inc. 4
The need for speed, time to market, business agility

5. © 2020 Synopsys, Inc. 5
Security is increasingly more important
of all cyber attacks happen
on the application layer.
84%
“When it comes to breaches, though,
web application security remains the
area of greatest risk.”*
* Kacy Zurkus, Web Application Security Poses Greatest Risk, Infosecurity, Feb. 19, 2019.

6. © 2020 Synopsys, Inc. 6
Ways to speed up software development
Sec

7. © 2020 Synopsys, Inc. 7
By 2021, DevSecOps practices will be
embedded in 60% of rapid development
teams, as opposed to 20% in 2019.*
* Neil MacDonald and Dale Gardner, 12 Things to Get Right for Successful DevSecOps,
Gartner, Dec. 19, 2019.
Sec
Higher
speed
Reduced
friction
Continuous
feedback
Lower
cost
$
Integrating security into DevOps: DevSecOps

8. © 2020 Synopsys, Inc. 8
Cloud computing is increasingly a vehicle for next-
generation digital business, as well as agile, scalable and
elastic solutions.*
Cloud computing: Accelerating change in business trajectory
* David Mitchell Smith, vice president and Gartner Fellow, in Kasey Panetta, Cloud Computing Enters Its Second Decade, Gartner, Jan. 30, 2017.
†
Frank Della Rosa, Worldwide Cloud 2019 Predictions, IDC, Nov. 27, 2018.
By 2021, more than half of global enterprises already using
cloud today will adopt an all-in cloud strategy.*
By 2021, 70% of new enterprise applications will be
developed cloud native.†

9. © 2020 Synopsys, Inc. 9
Enterprise development requirements
“Perfect and invulnerable applications are not possible; therefore, security and risk management
leaders must balance the need for security with development’s need for speed.”*
Development Security
* Neil MacDonald and Mark Horvath, Integrating Security Into the DevSecOps Toolchain, Gartner, Nov. 15, 2019.

10. © 2020 Synopsys, Inc. 10
Which security tools fit where in the SDLC
Pre-
Commit
Commit Build Test Deploy Production
IDE Tools / SCM
SAST
SCA
IAST
DAST

11. © 2020 Synopsys, Inc. 11
Best practices: Shift left
• Automated security testing can catch defects right on the developers’ desktops before they
ever check their code back in to the main codebase
• Waiting to catch things until later in the test phases is far more expensive

12. © 2020 Synopsys, Inc. 12
What to look for in an application security tool
Development tool integrations

13. © 2020 Synopsys, Inc. 13
What to look for in an AppSec SaaS platform
• Ease of use, speed,
accuracy
• Fast incremental analysis
• Security training and
remediation advice
• Consistent user experience
• Open source management
• Cross-correlation of results
• Integrations for
development environments,
tools, and cloud platforms
• Scalability
• Identification of high-risk
security vulnerabilities
• Ability to ensure policy
compliance
• Comprehensive reporting
Development DevOps Security

14. © 2020 Synopsys, Inc. 14
The Polaris Software Integrity Platform
Central Server
Build & Test Environment
Integrated Analysis Engines
Centralized
Management
Consolidated
Reporting
Alerting &
Workflow
CI/CD & DevOps
Integration
SaaS/Private Cloud
Deployment
Coverity Black Duck
Seeker
Defensics
Managed
Services
Code Sight
Developer Environment
Integrated Local +
Central Analysis
IDE Plugin
IntelliJ, Eclipse, Visual Studio
Context-Sensitive
eLearning
Coverity Black Duck
Seeker
Defensics
Managed
Services

15. © 2020 Synopsys, Inc. 15
Polaris Centralized Analysis
Gives security and engineering teams a comprehensive view of software security and
quality risks
z
Cloud ready
Integrated cross-product UX
Enterprise ready—SSO, RBAC
Fast, in-the-cloud analysis
Integrated cross-product reporting

16. © 2020 Synopsys, Inc. 16
Coverity on Polaris: Focus on the most important issues

17. © 2020 Synopsys, Inc. 17
Coverity on Polaris: Flexible reporting features
Filter and group by section of source code Focus on OWASP Top 10 2017

18. © 2020 Synopsys, Inc. 18
Coverity on Polaris: Issue details and triage options
Code snippet
with call
graph
Issue triage &
audit log
Severity type
& tool type

19. © 2020 Synopsys, Inc. 19
Single view of overall risk: Coverity, Black Duck, Seeker, MSP
• Out-of-the-box OWASP Top 10 2017, 2013 reports
• Risk assessment score of 0–100 across all products

20. © 2020 Synopsys, Inc. 20
Web
Browser
Polaris
Reporting
Agents
Polaris
CLI
3rd Party
API client
TLS/HTTPS
Code
Sight
Polaris deployment models
Flexibility in how Polaris components are deployed
Reporting
Services
Analysis Engines
GCS
Storage
CloudSQL
Database
Core Platform Services
Common
Object
Taxonomy
Service
Triage &
Query
Issue
Service
Tool Domain Services
Coverity Black Duck
Kubernetes
Seeker Defensics
API / Ingress
Control
Synopsys’ Google Cloud
Reporting
Services
Analysis Engines
K8S PVC
Storage
Postgres
Database
Core Platform Services
Common
Object
Taxonomy
Service
Triage &
Query
Issue
Service
Tool Domain Services
Coverity Black Duck
Kubernetes
Seeker Defensics
API / Ingress
Control
Customer Hosted
SaaS model
– Synopsys hosted
– Get up and running quickly
– Always use the latest version
Customer hosted
– Deploy on your own Kubernetes-
based systems
– Provision resources to your needs
– Load balance based on your needs

21. © 2020 Synopsys, Inc. 21
Polaris Code Sight IDE-based analysis for Coverity
Helps developers find and fix security and quality flaws as they code without leaving the IDE
Support for all MAJOR IDEs
Fast, just-in-time analysis on the desktop
Context-sensitive guidance and education
Native to the IDE & developer-friendly interface

22. © 2020 Synopsys, Inc. 22
Coverity with Code Sight
Fast, accurate, automated best-in-class analysis
• Just-in-time high-fidelity incremental analysis
serves up analysis results in seconds
• Runs automatically in the background and
regularly syncs with full baseline analysis
• Uses the same comprehensive
Coverity engine as full baseline analysis
does, for consistent, accurate results

23. © 2020 Synopsys, Inc. 23
Coverity with Code Sight
Crisp issues view
Prioritized vulnerabilities
by category
Dataflow view: main
and supporting events
Triage and dismiss
vulnerabilities
Link to CWE
description

24. © 2020 Synopsys, Inc. 24
Coverity with Code Sight
Integrated with eLearning
for contextual learning
courses

25. © 2020 Synopsys, Inc. 25
Course outline page
• Bite-sized chunks
• Animated walk-throughs
• Case studies of real-world exploits
• All types of learning content: video,
code snippets, etc.
• Knowledge checks at the end of each
lesson
• Assessment section at the end of the
course; pass with 80% or higher to
complete the course

26. © 2020 Synopsys, Inc. 26

27. © 2020 Synopsys, Inc. 27
Polaris platform integrations support

28. © 2020 Synopsys, Inc. 28
How Synopsys products fit into the SDLC

29. © 2020 Synopsys, Inc. 29
What is Black Duck Radar?
• Native Chrome browser plugin to help identify
FOSS components before they are downloaded
• Allows you to shift further left than the IDE
• Supports multiple repositories, such as Maven Central,
NPM, RubyGems, NuGet, PyPI, CocoaPods
• Shows security vulnerabilities and potential
policy violations

30. © 2020 Synopsys, Inc. 30
Synopsys Software Integrity Group
• Synopsys continues to invest heavily in Software Integrity tools and services
• Coverity SAST
– Find and fix security and quality defects as you code
• Black Duck SCA
– Secure and manage open source in apps and containers
• Seeker IAST
– Automate security and data protection testing in CI pipelines
• Defensics Fuzzing
– Detect protocol vulnerabilities in IoT and embedded devices
• Security Testing, Training, and Consulting Services
– Scale your AppSec programs with on-demand expertise
Best-in-class AppSec tools and services (Forrester Wave for SAST and SCA, Gartner
Magic Quadrant)

31. © 2020 Synopsys, Inc. 31
DevSecOps and AppSec best practices
• Shift left with security testing
• Security tools need to:
– Seamlessly integrate with existing development tools / DevOps workflows for CI/CD
– Meet the needs of development, DevOps, and security teams
– Offer a broad portfolio of testing tools and services (SAST, SCA, IAST, DAST) for each stage of SDLC
– Provide a central view of critical vulnerabilities in a scalable cloud platform
• Completely invulnerable apps aren’t possible
• Companies need to be able to quickly identify the highest risks to their organizations and
balance security needs with business agility
Key takeaways to ensure high-quality and secure apps

32. Thank You