Defending against the cyber pandemic demands holistic security and intelligent DevSecOps

Learn how Synopsys AppSec tools and services can help your organization deliver a holistic security approach to address rising cyber threats.

Not only has the number of cyber attacks increased dramatically in 2020, but the ingenuity and scale of the attacks has also jumped way off the charts. The SolarWinds attack was “the largest and most sophisticated attack the world has ever seen” with the number of software engineers working on these attacks estimated to be over 1,000. Taking a holistic systems security approach and applying secure DevSecOps best practices to the entire software development life cycle is now more important than ever before. By leveraging automated intelligent AppSec tools and managed services that can securely accelerate security testing in CI/CD pipelines as well as AppSec correlation tools that pinpoint real critical security vulnerabilities above the noise of false positives, organizations can better defend themselves against cyber attacks. 

A holistic systems security engineering approach

According to Ron Ross, a NIST fellow, adversaries are becoming more clever and stealthy. After breaching an initial perimeter, they will try to establish a presence in a system, steal credentials, escalate privileges, move laterally across the system, and then attack other systems. An example of this is the recent SolarWinds software supply chain attack, in which it is believed that attackers lurked in the company’s Office 365 email system for months before compromising their broader Office 365 environment, and later other systems.

In a video interview, Ross said, “The adversary has the advantage; they live in the cracks. We have an Achilles’ heel that we’re building into these new technologies. And this is why I think working in a DevSecOps approach [is useful]. You’re looking at agile and DevOps-type processes, you’re looking at security across the entire life cycle. And you’re working with software engineers, so they can work out some of those bugs and weaknesses and deficiencies early in the process, so they don’t become vulnerabilities when they get delivered to you. How can we apply those fundamental security design concepts and principles from NIST 800-160 to the DevSecOps process or agile development…to create lean system security engineering?”

These adversaries look at systems differently than organizations that have a single-dimensional strategy of protecting systems (e.g., implement necessary security controls and frameworks, then wait and do scanning, monitoring, and detection—defend at the perimeter). Adversaries look at it as a system of systems ecosystem—interconnected systems that interact with each other within an organization, and that connects with external systems as well. Ross points out that our definition of a system is broadening to include the supply chain. He advocates for our strategy and tactics to become multidimensional and include systems architecture, systems engineering, and security engineering teams working together from the beginning to define and build more secure systems. These teams need to understand the systems components, how they are put together, how much protection each component has, the information flow between components, how the components interact, where the single points of failure are, the interactions with the supply chain, the automatic updates or patches, and what would happen if there was malicious code in those updates.

Synopsys can help organizations better protect their sensitive data

As cyber attacks become more advanced, security tools and services also need to rapidly innovate to keep up. Synopsys Software Integrity Group offers a broad portfolio of software security services and application security tools that help security and development teams identify and remediate security weaknesses and vulnerabilities. Organizations can use Synopsys’ industry-leading application security tools themselves or supplement their security and development resources with Synopsys’ managed services or security program consulting.

Software security services and programs

The Synopsys architecture and design practice helps organizations identify missing or weak security controls, understand secure design best practices, and mitigate security flaws that increase the risk of a breach. Security services include security control design analysis, threat modeling, and architecture risk analysis. In addition, Synopsys also offers a malicious code detection (MCD) service as well as security programs (e.g., Building Security In Maturity Model [BSIMM] and maturity action plan [MAP]) that enable organizations to define, build, and manage their own software security initiatives (SSIs).

Synopsys provides continuous access to security testing experts with the skills, tools, and discipline needed to cost-effectively analyze any application, at any depth, at any time. Managed security testing services consist of penetration testing, dynamic application security testing, static application security testing, mobile application security testing, network penetration testing, red teaming, IoT and embedded software testing, and thick client testing.

Intelligent Orchestration for development at the speed of DevOps

Synopsys’ Intelligent Orchestration solution enables teams to integrate application security analysis into their DevOps pipelines while maintaining development velocity. Intelligent Orchestration supports Synopsys AppSec tools (e.g., Coverity® SAST, Black Duck® SCA, Tinfoil™ DAST, and Seeker® IAST) as well as managed services (e.g., threat modeling, penetration testing) and third-party tools (e.g., AppSec, GRC, and dashboarding systems). It automatically performs the right security tests at the right time based on user-defined policies, risk profiles, and severity/context-specific code changes that are user-defined in advance. Risk-based vulnerability and weakness reporting ensures that developers need only remediate the most important issues they are assigned to address, all within the issue trackers, development tools, and notification channels that they normally use. Reminders to do manual testing such as threat modeling, manual code reviews, or penetration testing can also be automated based on policies. Developers can integrate security analysis and results seamlessly into their existing development tools and platforms. Application security testing (AST) analytics metrics help identify gaps so that heads of development can understand the effectiveness of their AST and DevSecOps implementation.

Code Dx: a continuous single pane of glass view of your most critical security risks

Synopsys’ Code DX application security orchestration and correlation (ASOC) solution automatically aggregates, normalizes, correlates and deduplicates security results from over 85 tools to provide a single, central, and prioritized view of the highest severity security risks that exist across organizations’ software projects. Code Dx can automatically run Synopsys AppSec tools as well as third party tools (SAST, DAST, SCA, IAST, bug bounty, network vulnerability analysis, container security, and manual code review). Results are prioritized based on a set of customizable rules and machine intelligence, filtering out noise and false positives and surfacing the most critical issues that should be fixed first. Tickets are automatically opened in bug trackers such as Jira, and remediation guidance and training are provided to developers. All executed tests, issue remediation and history are tracked in a comprehensive system of record for audit purposes.