Seeker IAST won a Gold International Stevie Award for DevOps Solution, and our Polaris platform won for Software Development Solution.
The Stevies just keep on coming.
The Synopsys Software Integrity Group added two more Stevie® Awards this past week—these from the 2019 International Business Awards—to the two we received in May from the 2019 American Business Awards.
In the International Business Awards last week, our Polaris Software Integrity Platform™ was named a gold winner in the Software Development Solution category, and Seeker®, our interactive application security testing (IAST) solution, won a gold in the DevOps Solution category.
In the American Business Awards competition in May, Seeker won a silver, and Black Duck® OpsSight, which provides automatic open source vulnerability detection for container deployments, won a bronze. Both awards were in the DevOps Solution category.
The Stevie Awards are named for the Greek word meaning “crowned.” The International Business Awards ceremony will take place in Vienna on Oct. 19.
Integrating a whole portfolio of AppSec tools and services
The Polaris platform, launched this past February, brings multiple Synopsys Software Integrity products and services together into an integrated solution.
The cloud-based platform is designed to simplify and enable comprehensive application security from developer to deployment through the combination of the Code Sight™ IDE plugin and a central analysis server.
Among the tools integrated within the platform are Coverity® static analysis, Seeker, and Black Duck® software composition analysis, which helps developers track and manage both vulnerabilities and potential licensing conflicts in open source code.
Andreas Kuehlmann, general manager of the Synopsys Software Integrity Group, said a core element of the Polaris central server is Code Sight, which integrates into a developer’s coding workflow.
“The moment you save the file in the IDE, Coverity kicks off in the background and populates your screen with anything it finds,” he said. “So developers can fix the majority of the defects earlier in the process when they are coding.”
The International Stevie Awards judges were full of compliments for Polaris. One called it an “impressive platform to secure software from development to deployment.”
Another was “really impressed that [the] solution empowered developers to find and fix security weaknesses and vulnerabilities in the code as they write it.”
And a third called the Polaris nomination a “great entry about the company growth and successful business consistency over time of actionable values, both internally and externally, which truly measures the integrity of an organization’s values.”
Ravi Iyer, senior director of product management at Synopsys, said in addition to bringing multiple tools together in one platform, Polaris helps software development teams to manage risk.
He said one customer, who has to oversee about 400 applications, uses Polaris to set priorities. “There is no way to maintain any granular level with the problems of each of them,” he said. But the Polaris reporting and dashboard mechanism allows a CISO to judge which vulnerabilities in which applications are mission critical, and which pose less risk.
“It helps you make decisions that are healthy for the organization,” he said.
Closing the gap between traditional testing and modern applications
Seeker IAST is designed to integrate seamlessly into CI/CD workflows. The solution closes a gap left by traditional static and dynamic security testing tools in the software development life cycle (SDLC), especially for teams adopting CI/CD and DevOps.
Anyone involved in the endless cat-and-mouse game between hackers and those trying to defend their organizations against cyber attacks knows that any undetected application security gap tips the balance in the wrong direction.
The International Stevie Awards judges were as effusive about Seeker as they were about Polaris. One called it “a scalable solution at a reasonable price. High ratings show customers love the product. Good demo, presentations and media coverage.”
Kimm Yeo, senior product marketing manager at Synopsys, said that among the advantages of using Seeker is “the speed, accuracy, and scalability it brings to large enterprises with complex environments with hundreds of apps to secure and manage. Seeker integrates seamlessly in today’s modern but complex software ecosystem and complements both manual, functional test automation and CI/CD efforts.”
Asma Zubair, senior product management manager at Synopsys, added that many customers and prospects “have DevSecOps on their radar. They are aware of the need and are looking for solutions that integrate security testing in DevOps.”
She said Seeker practically eliminates false positives. “Sometimes real positives get lost and not acted on, just because of high false positives,” she said.
“IAST addresses that problem with automated, active verification. I have seen firsthand Seeker find critical vulnerabilities in applications that were being tested with traditional tools. Real vulnerabilities were either not reported, or they got lost in the loads of false positives.”
Noting Seeker’s capabilities as a tool for both security and development teams, one American Stevie Awards judge commented: “I am a big fan of any tool that [makes] software engineers’ jobs easier. This tool sits at the intersection between developer, release and security teams.”
Securing your container deployments
Black Duck OpsSight is a part of our software composition analysis (SCA) solutions. Designed for the “Ops” portion of DevOps, it helps prevent known open source vulnerabilities from being deployed into production environments.
In particular, it helps organizations secure the development and delivery of software applications in containers by:
- Automatically scanning and inventorying all open source in container images prior to deployment
- Identifying and highlighting any images that contain open source components with known vulnerabilities
- Flagging container images that violate open source security and use policies
- Sending automated alerts for any newly disclosed vulnerabilities that may affect container images currently in use
As one American Stevie Awards judge put it, “Open source security vulnerabilities are legendary; Black Duck OpsSight is their adversary.” Another called it a “useful and value-additive product in the world of containers.”
Neal Goldman, senior product management manager at Synopsys, said the award “validates what we’ve been saying about the importance of scanning all container layers for open source vulnerabilities—not just the code that the developers are writing.”
“People also need to scan containers for vulnerabilities that can be found in the operating systems and packages that get added to the container before it gets deployed,” he said.
“Likewise, it’s validating that it’s important to scan all your containers at run time, including those that you pull from other places like Docker Hub, so you capture all the vulnerabilities in your production systems, not just the ones that are coming from containers you created yourself.”
This post was originally published May 10, 2019, and updated Aug. 23, 2019.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/stevie-awards-2019-devops-software-development/