In our new tech tales series, we discuss how Synopsys customers use our products and services to uncover security risks in their organization. Synopsys customers span every industry—from small to large enterprises across financial services, automotive, public sector, medical and healthcare, and much more. One thing they all have in common is building trust into their software.

Coverage-guided fuzzers, like Jazzer, maximize the amount of executed code during fuzzing. This has proven to produce interesting findings deep inside the codebase. Only checking validation rules on the first application layer isn’t providing great benefits, whereas verifying logic in and interactions of deeply embedded components is. To extend the amount of covered code, the fuzzer tries to mutate its input in such a way that it passes existing checks and reaches yet unknown code paths.

Application innovation, design, development, quality assurance, and security testing have changed dramatically over the past decade. Engineering teams are leveraging agile development processes, modern cloud platforms, reusable microservices, and extensible APIs, enabling them to shift to more frequent deployments more easily.

Synopsys has signed a definitive agreement to acquire WhiteHat Security, a market-segment leading provider of dynamic application security testing (DAST) solutions.

Bearer is a Static Application Security Testing (SAST) tool that enables security and engineering teams to identify and mitigate data security risks throughout the software development lifecycle. It integrates with Source Code Management (SCM) software (see Git repository integrations for more details) to scan your code repositories, discover and classify data flows, and detect gaps with your data security policy.

Snyk Code separates itself from the majority of static code analysis tools by generating and maintaining rule sets for its users — helping them combat common and newly discovered threats. A recent Hub article described a new Javascript vulnerability called prototype pollution, which allows attackers to modify, or “pollute”, a Javascript object prototype and execute a variety of malicious actions.

Many Static Application Security Testing (SAST) tools struggle with false positives. They often report that a vulnerability is present, while, in reality, it does not exist. This inaccuracy weighs down the engineering team, as they spend productive hours triaging the false alarms. By setting a benchmark of false positives — a limit, above which is unacceptable — you can establish a point of reference or standard against which to measure the efficacy of your SAST tool.