Synopsys SIG - Apresentação Institucional

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
 5
 
  Parceira da Synopsys na área de EDA há quase uma década, a FCBr é também a primeira VAR (Value Added Reseller) da área de SIG (Software Integrity Group) no Brasil. A Synopsys é uma empresa fundada há mais de trinta anos e líder em software para EDA (Electronic Design Automation). Recentemente, ela adquiriu inúmeras empresas do segmento de AST (Application Security Testing) e criou um grupo denominado Software Integrity Group (SIG). Com o foco em AST, a área de SIG é responsável por ferramentas e serviços para testar e analisar aplicações, identificando vulnerabilidades de segurança e problemas de qualidade ao longo de todo o ciclo de desenvolvimento de software (SDLC), antes de eles se tornarem vulnerabilidades reais, reduzindo custos e maximizando a produtividade. A partir de então, ela se tornou uma das líderes nessa área, de acordo com diversas pesquisas, como Gartner (Magic Quadrant for Application Security Testing – Gartner) e Forrester. Saiba mais em http://www.fcbr.com.br/synopsys
Share
Transcript
  • 1. © 2019 Synopsys, Inc.1 2019 Software Integrity Group (SIG)
  • 2. © 2019 Synopsys, Inc.2 Synopsys The Industry Leader in Application Security & Quality
  • 3. © 2019 Synopsys, Inc.3 Security and quality are in our DNA
  • 4. © 2019 Synopsys, Inc.4 Over 30 years of leadership, growth, and innovation Employees: ~13,000 Engineers: ~6,000 SIG: ~1,500 Engineering culture Global reach 30 years of innovation Market cap ~ $15B 2018 revenue ~ $3.1B $1.4B+ investment in SIG Consistent growth 1. Microsoft 2. Oracle 3. SAP 4. Symantec 5. VMware 6. Salesforce 7. Intuit 8. CA Technologies 9. Adobe 10. Teradata 11. Amdocs 12. Cerner 13. Citrix 14. Autodesk 15. Synopsys 16. Sage Group 17. Akamai Technologies 18. Nuance 19. Open Text 20. F5 Networks Top 20 global software companies 15.
  • 5. © 2019 Synopsys, Inc.5 A trusted partner to over 4,000 companies 16 of top 20 COMMERCIAL BANKS 9 of top 10 ISVs 7 of top 10 AEROSPACE AND DEFENSE FIRMS 8 of top 10 GLOBAL BRANDS 6 of top 10 SEMICONDUCTOR COMPANIES
  • 6. © 2019 Synopsys, Inc.6 Security risk has shifted from the network to the application of all cyber attacks happen on the application layer. Is your security investment aligned with your risk profile? 84%
  • 7. © 2019 Synopsys, Inc.7 Application Facts Your application = Proprietary Code + Open Source Components + Application Behavior & Config
  • 8. © 2019 Synopsys, Inc.8 Different techniques address different risks Static Analysis • Analyzes source code • Finds common security weaknesses: − SQL injection − Cross-site scripting − Buffer overflows, etc. Runtime Analysis • Tests running apps • Finds vulnerable app behavior: − Misconfigurations − Authentication issues − Business logic flaws Software Composition Analysis • Scans for open source • Finds open source vulnerabilities: − Detects known vulns − Works through full SDLC − Monitors for new vulns Best for proprietary code Best for running appsBest for open source
  • 9. © 2019 Synopsys, Inc.9 Integrated Tools Solutions that help you build security & quality into your software development environment
  • 10. © 2019 Synopsys, Inc.10 Static Analysis = Coverity Software Composition Analysis = Black Duck Dynamic Analysis = Seeker Training = eLearning build test release deployplan code operate monitor SecDev Ops “By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017” Source: Gartner, Integrating Security Into the DevSecOps Toolchain Nov. 16, 2017.
  • 11. © 2019 Synopsys, Inc.11 Coverity Static Application Security Testing
  • 12. © 2019 Synopsys, Inc.12 Coverity – Static Analysis Find critical defects and security weaknesses in code as it’s written Accurate Patented technology enables deep, full path coverage; includes intraprocedural analysis; very low false-positive rate; Fast Incremental analysis; easily analyzes hundreds of millions of lines of code with ease; supports thousands of developers Integrated Open platform; easily integrated with IDEs, CI build servers, SCM and issue tracking systemsQuick video
  • 13. © 2019 Synopsys, Inc.13 Coverity – Static Analysis Find critical defects and security weaknesses in code as it’s written Security, Logic and Quality: Hundreds of checkers for all the types of issues, such as: • XSS • Injections • Risky Crypto • Forward Null • Path Manipulation • Logic Errors • Copy & Paste Errors • Missing Authorization • Hardcoded Credentials XSS, Injections, CSRF, Security vulnerabilities Memory violations, Logic errors, Defects Race conditions, Memory corruption, Concurrency errors, Deadlocks
  • 14. © 2019 Synopsys, Inc.14 Coverity – Static Analysis Find critical defects and security weaknesses in code as it’s written Governance Keep control of what the developers are doing Dashboards Create customized graphics and generate dashboards to get a visual view of your environment
  • 15. © 2019 Synopsys, Inc.15 Coverity – Static Analysis Find critical defects and security weaknesses in code as it’s written Governance Keep control of what the developers are doing Dashboards Create customized graphics and generate dashboards to get a visual view of your environment
  • 16. © 2019 Synopsys, Inc.16 Coverity – Static Analysis Find critical defects and security weaknesses in code as it’s written Code Sight IDE Plugin Real time local analysis to find and fix defects before committing the code and waiting for the central build
  • 17. Analyze: Typical Coverity SDLC Integration 32/64 bit ‘Build’ Server(s) Platform Developer Desktops Analysis internet Tomcat Webserver 64 bit ‘Connect’ Server Coverity Connect Native build (CI) Analysis Jenkins CI IDE build & Analysis Commit Analysis SCM Bug Tracking SMTP / Exchange Commit Source Commit bug report Alerting Synopsys Confidential Information <cov-build… mvn clean install…> <cov-analyze…> <cov-commit-defects…>
  • 18. © 2019 Synopsys, Inc.18 Security guidelines Standards compliance Language support SDLC workflow Coverity – Static Analysis Broad standards compliance and SDLC integrations More Details: https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/SAST-Coverity-datasheet.pdf
  • 19. © 2019 Synopsys, Inc.19 Black Duck Software Composition Analysis
  • 20. © 2016 Synopsys, Inc. 20 Confidential DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE It enters your code through many channels… …and open source vulnerabilities can come with it.
  • 21. © 2016 Synopsys, Inc. 21 Confidential But most open source vulnerabilities are too complex and too deep in the code to be found by automated SAST tools. Automated SAST tools are good at finding vulnerabilities in the code written by your developers SAST is not enough for Open Source
  • 22. © 2019 Synopsys, Inc.22 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production BLACK DUCK KNOWLEDGEBASE Enhanced VULNERABILITY DATA 17YRS OSS ACTIVITY 75DEDICATED KB TEAM 1+ PETABYTES 17,000+SOURCES 80+ PROGRAMMING LANGUAGES
  • 23. © 2019 Synopsys, Inc.23 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production Detect Inventory and track all open source components in use Protect Identify and remediate known open source vulnerabilities and license issues early Manage Set and enforce open source security and use policies Monitor Get same day alerts for new vulnerabilities that impact deployed software
  • 24. © 2019 Synopsys, Inc.24 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production Detect Inventory and track all open source components in use Protect Identify and remediate known open source vulnerabilities and license issues early Manage Set and enforce open source security and use policies Monitor Get same day alerts for new vulnerabilities that impact deployed software
  • 25. © 2019 Synopsys, Inc.25 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production Detect Inventory and track all open source components in use Protect Identify and remediate known open source vulnerabilities and license issues early Manage Set and enforce open source security and use policies Monitor Get same day alerts for new vulnerabilities that impact deployed software
  • 26. © 2019 Synopsys, Inc.26 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production Detect Inventory and track all open source components in use Protect Identify and remediate known open source vulnerabilities and license issues early Manage Set and enforce open source security and use policies Monitor Get same day alerts for new vulnerabilities that impact deployed software
  • 27. © 2019 Synopsys, Inc.27 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production Detect Inventory and track all open source components in use Protect Identify and remediate known open source vulnerabilities and license issues early Manage Set and enforce open source security and use policies Monitor Get same day alerts for new vulnerabilities that impact deployed software
  • 28. © 2019 Synopsys, Inc.28 Black Duck – Software Composition Analysis Find open source security, compliance, and quality risks in development and production Package Management IDE SCM Build/CI QA Orchestration ProductionOrchestrationQABuild / CISCMDEV/IDE TFS/VSTS CodeBuild Concourse Team City Eclipse Visual Studio GitHub ECR GCR ACR Artifactory Red Hat Container Catalog Ruby XRay OpenShift Kubernetes Pivotal Cloud Foundry Cloud Foundry EC2 GCP Azure OpenShift3 Kubernetes3 Chrome TravisGitLab Container/Binary Repositories Learn more
  • 29. © 2019 Synopsys, Inc.29 Seeker Interactive Application Security Testing
  • 30. © 2018 Synopsys, Inc. 3 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) Vulnerabilities reported in App and Seeker are deployed in test environment The build is made
  • 31. © 2019 Synopsys, Inc.31 http://... How Seeker works Your Application Seeker Enterprise Server 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. Quick demo 2 3 1 Seeker Agent
  • 32. © 2019 Synopsys, Inc.3232 Easy deployment and usage Immediate, actionable results Accurate real time results Powered by Active Verification Engine Comprehensive checkers Java, Node.js, .NET Integration with CI/CD tools DevOps friendly, built-in integration + bug tracking, APIs Sensitive Data Tracking Detect and prevent sensitive data leakage Binary Software Composition Analysis Identify supply chain risks Real-time Results Speed to support large-scale deployments Seeker—Interactive Application Security Testing Accurate easy-to-use enterprise-scale IAST that identifies and verifies web application vulnerabilities in real time
  • 33. © 2018 Synopsys, Inc. 3 Active verification ensures accurate results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
  • 34. © 2019 Synopsys, Inc.34 Actionable results for developers • Provides HTTP and Source code details to pinpoint vulnerability – URL, Parameters – Filename, method, line number • Makes it easier for developers to find and fix vulnerabilities –Results can be sent directly to Jira • Helps teams maintain velocity while maximizing security
  • 35. © 2018 Synopsys, Inc. 3 The most accurate IAST solution available • Delivers fast results with near- zero false positives • Other solutions without active verification report up to ~20% false positives Seeker helps you scale your most limited resource – your AppSec team Seeker v2018.03 Scores 100% in OWASP Benchmark
  • 36. © 2019 Synopsys, Inc.36 Polaris Software Integrity Platform
  • 37. © 2019 Synopsys, Inc.37 Polaris The Polaris Software Integrity Platform (coming soon…) Central Server Build & Test Environment Integrated Analysis Engines Centralized Management Consolidated Reporting Alerting & Workflow CI/CD & DevOps Integration SaaS/Private Cloud Deployment Coverity SAST Black Duck SCA Seeker IAST Managed Services Code Sight Developer Environment Integrated Local + Central Analysis IDE Plugin IntelliJ, Eclipse, Visual Studio Context-Sensitive eLearning Coverity SAST Black Duck SCA Seeker IAST Managed Services
  • 38. © 2019 Synopsys, Inc.38 Polaris Reporting module (coming soon…)
  • 39. © 2019 Synopsys, Inc.39 eLearning Security & Development Online training
  • 40. © 2019 Synopsys, Inc.40 Synopsys eLearning Synopsys eLearning enables curriculum provisioning by role, team, or project with training tailored to every role in the SDLC – Learner-centric – Mobile-responsive – Role-based – Outcome-based – Measurement-focused Course list Easy-to-consume, outcome-driven security training
  • 41. © 2019 Synopsys, Inc.41 Build Secure, High-Quality Software Faster
  • 42. Contact: Address: RUA ENXOVIA, 472 – room 1703 Chácara Santo Antonio | São Paulo – S.P. Brazil ZIP Code 04711-030 facebook.com/fcbrbrazil twitter.com/FCBrBrazil linkedin.com/company/fcbrbrazilfcbr.com.br/synopsys contato@fcbr.com.br +55 (11) 9.5117-6020
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks
    SAVE OUR EARTH

    We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

    More details...

    Sign Now!

    We are very appreciated for your Prompt Action!

    x