要約
Synopsys owns a portfolio of several scanning tools, including Coverity (SAST), Black Duck (SCA), Seeker (IAST), Defensics (Fuzzing), and recently acquired Tinfoil (DAST).
-
BlackDuck does Software Composition Analysis (SCA) including dependency scanning, container scanning, and license management.
-
Coverity for SAST includes spell-checker-like capability with an IDE plug-in that alerts the developer to vulnerable phrases as they code. It also has a dashboard that pulls in IAST from Seeker for a unified view. Coverity covers 20 programming languages. Our research indicates that Coverity costs around $12k USD per year for 5 users.
-
Seeker for IAST employs an agent to test the application for vulnerabilities. It is used during functional testing so that security tests are done in the normal course of other testing. Seekers has an API to integrate with Dev IDEs. Seeker works with Java/all JVM languages. Seeker is only available on premise.
Comparison to GitLab
Although Synopsys can integrate with IDE's and DevOps tools via the API, complete testing coverage requires multiple software licenses and a heavy integration and maintenance effort. GitLab Ultimate automatically includes a full suite of broad security scanning with every code commit. GitLab's scan results are provided to the developer inline in their Merge Requests with no integration required.
GitLab security scanning includes not only SAST but also DAST, Container and Dependency scanning, License Compliance scanning, and Secrets detection. All of these are included in GitLab Ultimate and integrated directly into the developer's workflow. Finding vulnerabilities is only the beginning. Delivering those findings to the developer for immediate remediation is key to shifting left to reduce both cost and risk.
