Putting intelligent orchestration into your DevSecOps

magnifying glass near gray laptop computer

What To Know

  • Intelligent Orchestration, which runs in parallel to build and release pipelines, utilises innovative technology to automatically determine and initiate the most appropriate security tests, including static (SAST), dynamic (DAST), interactive (IAST), and software composition analysis (SCA), based on pre-defined risk policies and changes made to an application.
  • “Testing your business-critical applications for security vulnerabilities is essential, but when it comes to producing actionable results and earning developers’ trust in a DevOps environment, the tests you don’t run can be equally as important as the tests you do run,” said the director of application security for the financial services client.

Editor’s brief: If you are in DevSecOps, you would know that you are no longer grappling with simply code, but a myriad of platforms, languages, devkits, APIs, open source software (OSS), on an ever-evolving “ocean” of needs from your executives and users alike. Although intelligent orchestration as a concept is not new, what if you can combine the best-of-class static (SAST), dynamic (DAST), interactive (IAST) and software composition analysis (SCA) into a single solution for your code forensics? Synopsys, the stalwart for software integrity, announces this. Read more below.

SINGAPORE – Synopsys, Inc. (Nasdaq: SNPS) today announced it will showcase the Software Integrity Group’s new Intelligent Orchestration solution at RSA Conference on May 17th – 20th. Intelligent Orchestration is a dedicated application security automation pipeline, optimised for speed and efficiency, that ensures the right security tests are performed at the right time. Intelligent Orchestration, which runs in parallel to build and release pipelines, utilises innovative technology to automatically determine and initiate the most appropriate security tests, including static (SAST), dynamic (DAST), interactive (IAST), and software composition analysis (SCA), based on pre-defined risk policies and changes made to an application.

Security and development teams across all industries have come to recognize the importance of integrating and automating security testing into their development toolchains and workflows as the pace and complexity of software development increases. In practice, however, they discover that this slows development pipelines and floods development teams with large volumes of testing results, many of which don’t require immediate attention.

After years of assisting customers, such as a Fortune 500 financial services company undergoing a significant digital transformation effort, with these issues, the ideas and technology that make up Intelligent Orchestration were developed and refined:

“Testing your business-critical applications for security vulnerabilities is essential, but when it comes to producing actionable results and earning developers’ trust in a DevOps environment, the tests you don’t run can be equally as important as the tests you do run,” said the director of application security for the financial services client. “Avoiding extraneous testing cycles and prioritising the critical vulnerabilities that present the most risk to your organisation is key to embracing the benefits of DevSecOps. We worked closely with Synopsys as they developed their Intelligent Orchestration solution to address the DevSecOps bottlenecks we were grappling with.”

Intelligent Orchestration provides the following capabilities and benefits:

  • Dedicated “continuous security” pipeline: Intelligent Orchestration is a dedicated continuous integration (CI) pipeline that runs in parallel to build and release pipelines to perform necessary application security tests.
  • Seamless integration with existing pipelines and development toolchains: Intelligent Orchestration does not require build and release pipelines to be reimplemented. Instead, it easily integrates with CI pipelines via simple API calls. In addition, extensible DevOps integrations enable teams to incorporate application security tests performed by Synopsys tools as well as open source and third-party tools, and deliver results via the development, risk management, and issue tracking tools they already use.
  • Ensures the right tests are run at the right time: Teams can define their application security policies as code, specifying rules for security analysis, notification, and remediation. Using innovative technology, Intelligent Orchestration then uses that policy to evaluate code changes and other SDLC events to intelligently trigger the appropriate security tests, maximising velocity by performing only the tests that are needed when they are needed.
  • Delivers the right information to the right teams: Intelligent Orchestration optimises and standardises application security reporting across the gamut of security testing tools. Results are automatically filtered and prioritised based on risk and delivered directly within the development and defect tracking tools development teams already use, preventing “vulnerability overload” and enabling teams to achieve the maximum risk impact at minimum cost.
  • Automates the workflow for manual or out-of-band testing activities: Intelligent Orchestration policies can also trigger manual security activities such as penetration tests, through defect tracking systems and communication channels, enabling security teams to coordinate security compliance with development workflows.

“Every organisation embracing DevOps encounters friction when they integrate and automate security testing into their DevOps environments,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “Automating the enforcement of application security policies across your portfolio and managing high volumes of security testing results, while trying to keep pace with the accelerating speed of development, can be a daunting task. These challenges are precisely what Intelligent Orchestration is designed to address. Through policy-driven intelligence, automation, and extensive integrations, Intelligent Orchestration streamlines security testing programs based on risk and continuous iteration.”

###