Let the Polaris platform take your software security to the next level — easier and faster

The software security industry is, by many measures, “mature.” It’s been around for decades — as long as software itself. There are now well-established methods to find and fix vulnerabilities before a software product hits the market.

All of which is good. But none of which means there is no room for improvement. Indeed, the industry is still evolving. And the Synopsys Software Integrity Group is taking its own step in that evolution with the launch of a major upgrade of the Polaris Software Integrity Platform® in a couple of weeks at the RSA Conference 2023, which runs April 24 to 28 in San Francisco.

The platform is designed to help software developers cope with competing pressures — the need for speed and the need for security. Because the reality remains that if it comes down to one or the other, speed wins. So for years, the exhortation at security conferences has been to “make the secure way the easy way.”

That way you get both, and that’s what Polaris does, with automated software testing tools aimed at securing proprietary, commercial, and open source code. One, called fAST Static, flags defects as code is being written. The second, called fAST SCA (software composition analysis), finds open source components in an application and flags any known vulnerabilities and potential licensing conflicts.

As a company announcement put it, “Polaris makes it easy for developers to onboard and start scanning code in minutes while enabling security teams to track testing activities and manage risk across thousands of applications.”

Disclosure: I write for Synopsys. But I’d write about Polaris anyway, given how critical software security is, not just for the protection of individual privacy and security in the digital devices we all use, but also in the systems that run our critical infrastructure, from the power grid to utilities, finance, healthcare, transportation, and just about everything else.

Not perfect, but much better

The need for better security is obvious. Virtually every attack on critical infrastructure was made possible by vulnerabilities in software. Among the worst were the May 2021 ransomware attacks on Colonial Pipeline, the main fuel supply line to the U.S. East Coast, and JBS Foods, the world’s largest meat supplier. As we all know, without fuel and food, not much else matters.

Software is never perfect — it’s made by imperfect humans. But it could, and should, be better. A Synopsys research team documented just how imperfect, with an analysis of 10 applications that have more than 21.5 million downloads from the Google Play Store. Debrup Ghosh, senior product manager within the Synopsys Software Integrity Group, said the team found an average of 179 vulnerabilities per app.

Not surprisingly, such a feast of vulnerabilities has generated what amounts to a feeding frenzy among criminal hackers. Ghosh said there was a 30% to 40% rise in cyberattacks from 2021 to 2022. “Whether it’s supply chain attacks, software vulnerability exploits, or web application exploits, apps continue to be a Top 3 attack surface for threat actors globally,” he said.

So the primary goal for security teams is to help organizations find and fix vulnerabilities before a software product hits the market. Failing that — if vulnerabilities do end up in software products after they are in use — the goal is to find and fix them before criminals can exploit them. And the stakes are higher than ever. As noted, software security is a matter of much more than privacy, convenience, and money. It can easily become an existential threat to individual and collective safety and survival.

Yet even with the stakes that high, the pressure on developers for speed still trumps everything else, including security. The increase in the pace of development over the past several decades is exponential, comparable to going from horse-and-cart transportation to jetliner. And anything that gets in the way of that velocity can get cast aside or ignored.

The Building Security In Maturity Model, the subject of an annual report by Synopsys for the past 14 years has reported that the message from numerous developers is, “We’d love to have security in our value streams if you don’t slow us down.”

Making it easy

Hence the keyword for the latest Polaris platform upgrade: Easy.

Easy is, of course, an elastic term. Software security is complex and difficult — imagine trying to find potentially catastrophic glitches in hundreds or thousands of lines of code. You can’t do it manually. And there is no “Easy button” (hat tip to Staples) that an organization can push to make that risk go away.

But easy compared to trying to manage software risks manually at the scale most businesses operate? Yes, that’s possible, with automated testing tools like fAST Static and fAST SCA that can keep pace with the speed of development. That’s what the Polaris platform offers. It’s easy in three ways

Easy to deploy: Companies are increasingly moving to cloud solutions, which let them use tools and services as they need them — perhaps a lot today, perhaps less next week — without having to build and maintain infrastructure that will sometimes be more than maxed out while at other times sit idle. That’s what Polaris offers — it requires no installation of software or hardware because it’s maintained by Synopsys. That reduces the burden on a company’s IT staff. It also provides automatic updates, making the latest security testing technologies and features always available.

Easy to scale: As noted, the Polaris platform is there at whatever level is needed, eliminating the headache of overtaxed or underused infrastructure. Given that most companies are developing more apps, cloud solutions make it easy to onboard and scan them. Polaris offers software as a service, which means users can start scanning apps in minutes. And developers, who don’t want to be distracted by trivial or irrelevant notifications, can access triage services to help remove false positives so they get only results that matter. That makes security both easier and faster.

Easy to use: Besides the Synopsys triage services, Polaris users can do their own configuration of controls to hide or highlight defects and assign how they will get fixed. Those customer-defined security policies can be set to trigger alerts or halt builds depending on the severity of vulnerabilities. And reporting and analytics that are built into the platform let development teams know how they’re doing.

Eliminate sprawl

Finally, Polaris offers what an increasing number of organizations are seeking — consolidation of both tools and vendors.

Experts have been warning for years about the risks of “tool sprawl,” where organizations are running 25 to 49 security tools from up to 10 different vendors. Not only is that overkill, instead of improving security it can undermine it. Development teams can be overwhelmed by security alerts that are so constant, they become background noise and are ignored — the exact opposite of the intent.

The analyst firm Gartner reported in its “Top Trends in Cybersecurity 2022” report that 80% of security and risk management leaders are looking to eliminate vendor sprawl as well, consolidating their security spending with fewer vendors, “driven by the need to reduce complexity, leverage commonalities, reduce administration overhead and provide more effective security.”

A consolidated platform provides a streamlined workflow, allowing security teams to manage and monitor security events either from a single console or a closely integrated solution stack offered by a single vendor.

That makes securing software not just easier but also faster. Which is as close to an Easy button as it gets.