If you haven’t been programming since fixing Y2K was the problem of the day, you may not know just how much trouble we’ve been in with supply chain software security holes and attacks. Still not sure what I mean, go read up on the Solarwinds security fiasco. I’ll wait. Get the picture? So when Synopsys announced it released new Rapid Scan capabilities within its Coverity static application security testing (SAST) and Black Duck software composition analysis (SCA) solutions, this is a big deal.
What Rapid Scan brings to your developer desk is faster, lightweight vulnerability detection for both your proprietary and open-source code. In particular, Rapid Scan is optimized for the early stages of development, when it’s still easy to catch bugs before they’ve become embedded in your programs. Synopsys also states that Rapid Scan is particularly good for cloud native applications and infrastructure-as-code (IaC).
Sure, we know that comprehensive, thorough security testing is critical to managing risk in the later stages of the software development lifecycle (SDLC). But, let’s get real. How many of us actually do that as consistently as we should? Better is, as Shuah Khan, Linux Fellow a senior Linux kernel maintainer, observed, “It is easier to detect and fix problems early during the development process.”
That’s where Rapid Scan comes in. It complements conventional application security testing activities by enabling development teams to perform fast SAST and SCA scans at every code check-in or early-stage build without slowing them down. This enables developers to shift left efficiently and prevents security issues from propagating into the later stages of the SDLC. If you want continuous integration/continuous delivery (CI/CD), building testing into the development pipeline early on is a necessity.
As Jason Schmitt, Synopsys Software Integrity Group’s general manager put it, in a press release: “For organizations embracing DevSecOps, application security testing needs to follow suit. With Rapid Scan, Coverity and Black Duck users can run quick preventative scans to detect and eliminate surface-level vulnerabilities as their developers write and commit code, and they can use the same solutions to run deep scans later in the SDLC prior to deploying their applications.”
Sounds great, but what, specifically, are they talking about?
The new capabilities include:
In Coverity Rapid Scan SAST you get speedy security analysis of proprietary code at the developer’s desktop and in continuous integration (CI) pipelines such as GitLab and GitHub Actions. Coverity Rapid Scan is optimized for cloud native applications built on IaC frameworks such as Kubernetes, Terraform, and CloudFormation, and microservices such as GraphQL, Kafka, and Postman. Besides quickly detecting many common security weaknesses, it can also spot misconfiguration flaws and API foul-ups.
In Black Duck Rapid Scan, developers and managers can perform a faster than ever dependency analysis to see if any of their open source components violate your organization’s security and license policies before merging code into release branches. It does so by skipping resource-intensive SCA activities such as multifactor open source detection and generating a complete software bill of materials for later in the SDLC process.
Both the Coverity and Black Duck Rapid Scan capabilities can be used with Synopsys’ Intelligent Orchestration solution to automatically trigger fast SAST and SCA scans based on events in the continuous integration (CI) pipeline. Once more the goal is to do what’s needed at the early stages of development and testing while delaying full Coverity and Black Duck scans at later stages.
In short, the name of the game here is to balance agility and risk management. Sure, if you need to, you can run a full scan. But with Fast Scan, you can do just what you need to do to meet your schedule while protecting your code from security bugs and open source licensing problems. It sounds to me like a worthwhile compromise, and it’s certainly nice to have the option.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Postman.