Learn why Synopsys earned the highest score for the Continuous Testing Use Case in Gartners latest report.
Gartner recently released its 2022 Critical Capabilities for Application Security Testing (AST) report, and I am delighted to see that Synopsys received the highest score across each of the five Use Cases. Lets look at the Continuous Testing Use Case and dive into how Gartner ranks and rates it, and see why the Synopsys portfolio of offerings is well-suited for organizations that are looking to implement or are currently doing continuous testing.
When it comes to the criteria used to rate the top 14 tools ability to deliver continuous testing, Gartner places slightly more weight on a tools ability to perform dynamic application security testing (DAST), interactive application security testing (IAST), and API security testing and discovery. It places less or equal weight on a tools ability to perform static application security testing (SAST) and software composition analysis (SCA). To understand why, lets look at the role continuous testing plays in todays software ecosystem.
Download the Gartner report
First, we need to understand what exactly continuous testing is. As the name implies, continuous testing refers to the execution of automated tests every time code changes are made. These tests are carried out continuously and iteratively across the software development life cycle (SDLC). They are conducted as a part of the software delivery pipeline to drive faster feedback on changes pushed to the code and/or binary repository.
Continuous testing is important especially in an organizations drive toward DevOps continuous integration / continuous delivery (CI/CD). While CI/CD enables product innovations at lightning speed (which is crucial for businesses to stay ahead of the curve), continuous testing helps build trust in the quality. Continuous testing provides the much-needed peace of mind that the products perform as expected and are reliable and secure. Continuous testing in a delivery pipeline allows the team to introduce any number of quality gates anywhere they want, to achieve the degree of quality that they need.
Although continuous testing is becoming a standard practice today, embedding another layer of security oversight is something not readily undertaken by most organizations. It is simple to understand why.
Implementing continuous testing is already a massive undertaking without adding another layer of security on top of it. For continuous testing to work, both development and QA test teams need to get together to define the tests early, develop the test-driven or behavioral-driven test cases, and ensure good test coverage. To run a successful continuous testing operation, they will also need to have a complete test environment on demand, with dev-friendly tools (such as code, CI/CD integrations, and supported open source) for the various development and test teams use. These environments ideally should be ready for the various on-demand needs from unit test to integrated, functional, regression, and acceptance test needs and have the ability to provision the right test data so teams can perform comprehensive tests with production-like data. With continuous testing, the various types of tests are executed seamlessly in the different environments and at each stage of the continuous pipeline and in different environments that it gets deployed to. Tests are triggered automatically by events such as code check-in or code changes. The aim of continuous testing is to ensure prompt feedback to alert the team of problems as quickly as possible.
Continuous testing becomes tougher and longer as it progresses toward the production environment. The depth of testing also progresses as the simulation environment gets closer to production. You need to slowly add more tests and more complicated tests as the code matures and environment complexity advances. Chances are the same test cases developed earlier would not be run throughout the SDLC. The test cases need to be updated each time significant changes are introduced. The automated scripts will need to be updated at the different phases of testing as the code becomes more matured and progresses to a higher level of environment where configurations and infrastructure also advance until it reaches production.
Even the time needed to run the tests increases as the testing progresses toward the release point. For example, a unit test might take very little time to run, whereas some integration tests or system/load tests might take hours or days to run. With the amount of time and effort required to execute end-to-end continuous testing, its no wonder automated security tests lag behind other types of automation efforts (e.g., automating build, and release), according to Googles State of DevOps report.
For organizations that have security test practices and tools built into their continuous testing and delivery pipeline, its common to find SAST and/or SCA tools deployed in their automated pipeline. These tools have their own place in the SDLC, and in fact, they are necessary early in the SDLC to help secure proprietary codebases and external dependencies such as open source and third-party code. This may suffice in a controlled environment, with controlled codebases that ensure predictable user experiences.
Unfortunately, the software app development and delivery paradigm has shifted from monolithic to todays highly distributed computing model. There are innumerable software components and event-driven triggers thanks to technologies such as microservices architecture, the cloud, APIs, and serverless functions in todays modern, composite-based applications. And some critical vulnerabilities and exploits cannot be anticipated or caught in early development phasesthey dont get triggered until application runtime tests when the various components are integrated. The sheer volume of apps that an organization owns and must manage todayfrom internal proprietary codebases and applications to third-party components and APIscontributes to the growth of unanticipated attack surfaces.
Therefore, its more critical than ever to incorporate modern DAST approaches to testing, particularly those that can augment the continuous testing and CI/CD pipeline with the least friction.
Synopsys has the broadest and most comprehensive portfolio for your application security needs. Our AST tools provide seamless life cycle integration with end-to-end app security test coverage across the continuous pipeline.
Some key benefits of Synopsys solutions include
Continuous security testing and continuous delivery are processes that can take time to implement successfully. But close collaboration between development, security, and DevOps teams, along with continuous security feedback based on highly accurate data and the right tool set, will help bulletproof your critical applications.
Download the report
Here is the original post:
Bridging the security gap in continuous testing and the CI/CD pipeline - Security Boulevard
- Calls to Ban Open Source are Misguided and Dangerous - The New Stack - June 26th, 2024
- Delving the Risks and Rewards of the Open-Source Ecosystem - InformationWeek - June 26th, 2024
- Enhancing security through collaboration with the open-source community - Help Net Security - June 18th, 2024
- It's time to face the open source security problem - ITPro - June 18th, 2024
- Mistral AI just launched 'Codestral', its own competitor to Code Llama and GitHub Copilot and it's fluent in over 80 ... - ITPro - June 2nd, 2024
- Open-source cybersecurity could derail the internet as we know it - Quartz - May 15th, 2024
- Developer Experience Influenced by Open Source Culture - InfoQ.com - May 15th, 2024
- BLint: Open-source tool to check the security properties of your executables - Help Net Security - May 15th, 2024
- Modular Open-Sources Mojo: The Programming Language that Turns Python into a Beast - MarkTechPost - April 2nd, 2024
- Meet the 21-Year-Old Creator of Devika, the Indian Open Source Devin Alternative - Analytics India Magazine - April 2nd, 2024
- Is Open Source Under Threat or Primed to Go to the Next Level? - The New Stack - March 13th, 2024
- Where is Technology Headed in 2024? - Open Source For You - March 13th, 2024
- A Detailed Conversation on Open-Source AI Frameworks for MLOps Workflows and Projects - AiThority - March 5th, 2024
- Everything you need to know about GitHub's new push protection changes - ITPro - March 5th, 2024
- StarCoder 2 is a code-generating AI that runs on most GPUs - TechCrunch - March 5th, 2024
- Is the future of open source software at risk due to protestware? - Tech Xplore - February 25th, 2024
- Google unveils new family of open-source AI models called Gemma to take on Meta and othersdeciding open-source AI aint so bad after all - Fortune - February 25th, 2024
- Jim Zemlin and the Linux Foundation share not-so-secret open-source sauce - ZDNet - February 25th, 2024
- Open source vs closed source AI: What's the difference and why does it matter? - Euronews - February 25th, 2024
- Biden administration to debate whether all AI systems should be open-source or closed - Firstpost - February 25th, 2024
- Some Linkerd service mesh users will soon have to pay - TechTarget - February 25th, 2024
- A lone developer just open sourced a tool that could bring an end to Nvidia's AI hegemony AMD financed it for ... - TechRadar - February 25th, 2024
- Scoping Out the Software-Defined Vehicle: The Benefits of OTA Updates & Open Source - Embedded Computing Design - February 25th, 2024
- The importance and limitations of open source AI models - TechTarget - February 9th, 2024
- 15+ Popular Python IDEs in 2024: Choosing The Best One - Simplilearn - February 9th, 2024
- Balancing Innovation and Security: The Open-Source Conundrum - BNN Breaking - February 9th, 2024
- VCs and startups love open-source AI models but how will they make money? - Sifted - February 9th, 2024
- How better and cheaper software could save millions of dollars while improving Canada's health-care system - The Conversation Indonesia - February 9th, 2024
- Best of 2023: Are We Witnessing the End of Open Source? - DevOps.com - December 28th, 2023
- What comes after open source? Bruce Perens is working on it - The Register - December 28th, 2023
- 200 GB of GTA 5 source code is about to get leaked, making it an open source: Report - Sportskeeda - December 28th, 2023
- Never was so much owed by so many to so few - a look at the unheralded heroes of the open source world - TechRadar - December 28th, 2023
- Rockstar hit with another cyberattack, leaked GTA 5 source code reveal cancelled DLC plans - Times of India - December 28th, 2023
- What is open source software? - Android Police - December 20th, 2023
- Feds Warn Health Sector to Watch for Open-Source Threats - BankInfoSecurity.com - December 11th, 2023
- OpenTofu: Open-source alternative to Terraform - Help Net Security - December 11th, 2023
- AWS exec: 'Our understanding of open source has started to change' - The Register - December 11th, 2023
- Mark Jelic Rings in 40 Years Since the TEC-1 Launch with a New, Open Source, Upgraded TEC-1G SBC - Hackster.io - December 11th, 2023
- AI's future could be 'open-source' or closed. Tech giants are divided as they lobby regulators - Tech Xplore - December 11th, 2023
- Cyber Security Today, Nov. 24, 2023 A warning to tighten security on Kubernetes containers, and more - IT World Canada - November 25th, 2023
- This AI Paper Proposes ML-BENCH: A Novel Artificial Intelligence Approach Developed to Assess the Effectiveness of LLMs in Leveraging Existing... - November 25th, 2023
- Generative AI is a genuine breakthrough unlike most fads in tech: Zerodha CTO Kailash Nadh on the current waves in tech - The Hindu - October 27th, 2023
- Meet RedPajama: An AI Project to Create Fully Open-Source Large Language Models Beginning with the Release of a 1.2 Trillion Token Dataset -... - April 25th, 2023
- Hashtag Trending Apr.24th- Cybersecurity workers burnout; Code generated by ChatGPT and Googles Bard not very secure; Execs would want a robot to make... - April 25th, 2023
- This AI Project Brings Doodles to Life with Animation and Releases Annotated Dataset of Amateur Drawings - MarkTechPost - April 17th, 2023
- EU shares best practices with Ukrainian law enforcers on Open Source Intelligence and Criminal Analysis to - EIN News - April 8th, 2023
- 'I've never seen anything like this:' One of China's most popular apps has the ability to spy on its users, say experts - CNN - April 8th, 2023
- With Just ~20 Lines of Python Code, You can Do Retrieval Augmented GPT Based QA Using This Open Source Repository Called PrimeQA - MarkTechPost - March 5th, 2023
- Daily Crunch: Hundreds of Salesforce workers laid off in January just discovered they were out of work today - TechCrunch - February 7th, 2023
- Unlocking the power of Open AI: how to automate information extraction - The Hindu - February 7th, 2023
- Is composable business most essential technology trend to meet challenges of 2023 and beyond? - ComputerWeekly.com - January 30th, 2023
- Open Definition & Meaning | Dictionary.com - January 22nd, 2023
- 529 Synonyms & Antonyms of OPEN - Merriam-Webster - January 22nd, 2023
- Open Definition & Meaning - Merriam-Webster - January 22nd, 2023
- Can Wazuh Become The Worlds Largest Open Source Cybersecurity Platform And IPO Without VC Funding? - Forbes - January 6th, 2023
- 8 Free/Open Source Code Review Tools for 2022 - SoftwareSuggest - December 28th, 2022
- Finding the next Log4j OpenSSFs Brian Behlendorf on pivoting to a risk-centred view of open source development - The Daily Swig - December 28th, 2022
- Nithin Kamath says FOSS is the 'pillar' on which Zerodha has been built. What is it? - Business Today - December 28th, 2022
- How Dogeliens Will Take Over the Metaverse Like Bitcoin and Stellar Took Over the Crypto World. - newsbtc.com - December 28th, 2022
- Intrinsic Buys Open Robotics' Commercial Arm, But Leaves ROS and Gazebo with the Foundation - Hackster.io - December 20th, 2022
- Open-source code is everywhere; GitHub expands security tools to help ... - December 20th, 2022
- Security Of Enterprise Code: What Companies Using Open-Source Software Should Know About Binary Code Verification - Forbes - December 20th, 2022
- Open Source - Apple Developer - December 12th, 2022
- Your Code of Conduct | Open Source Guides - December 12th, 2022
- Code of Conduct | Meta Open Source - Facebook - December 12th, 2022
- From the creator of Homebrew, Tea raises $8.9M to build a protocol that helps open source developers get paid - TechCrunch - December 12th, 2022
- Consortium of Japan partners successfully promote domestic production and cost reduction for 5G core technology, the basis for next-generation... - November 25th, 2022
- GitHub Vulnerability Allows Hackers to Hijack Thousands of Popular Open-Source Packages - CPO Magazine - November 17th, 2022
- GitHubs Octoverse report finds 97% of apps use open source software - VentureBeat - November 17th, 2022
- Microsoft sued for open-source piracy through GitHub Copilot - BleepingComputer - November 7th, 2022
- The White House Memorandum on Securing the Software Supply Chain: What It Means for Your Organization - Security Boulevard - November 7th, 2022
- First Timers Only - Get involved in Open Source and commit code to your ... - October 23rd, 2022
- List of free and open-source software packages - Wikipedia - October 23rd, 2022
- What is open source? - Red Hat - October 23rd, 2022
- Introducing Triton: Open-Source GPU Programming for Neural Networks - October 23rd, 2022
- Comparison of open-source and closed-source software - October 23rd, 2022
- Java 19 Brings New Patterns to Open Source Programming Language - October 23rd, 2022
- API series - OctoML: ML APIs need to take a lesson from their ancestors - ComputerWeekly.com - October 23rd, 2022
- Benefits of working with open source data quality solutions - TechRepublic - October 15th, 2022
- Microsoft's GitHub Copilot AI is making rapid progress. Here's how its human leader thinks about it - CNBC - October 15th, 2022