Based in Mountain View, California, Synopsys is a
global company with offerings in the software and semiconductor areas. Synopsys
has been executing a strategy to expand its AST portfolio during the past few
years, adding Cigital (App Sec Services), Quotium’s Seeker IAST, Codenomicon
(SCA), Protecode (SCA), Coverity (SAST) and Black Duck (SCA). This merger and
acquisition (M&A) push has provided it with good coverage of the secure SDLC
market, through products and services that it has been attempting to integrate
into a complete, seamless offering.
During the past 12 months, the vendor
has introduced a new platform, Polaris, which is intended to be the central
management console for all Synopsys AST products. The SAST solution was the
first to be fully integrated into Polaris, and the vendor intends to integrate
the rest of the platform throughout 2019. The vendor also introduced a new
lightweight IDE plug-in (initially for the IntelliJ IDE with support for
Eclipse and Visual Studio IDEs introduced in February 2019), Code Sight,
meant to run full SAST analysis by continuously scanning in the background
while a developer is coding. Synopsys should be considered by organizations
looking for a complete AST offering that want variety in AST technologies,
assessment depth, deployment options and licensing.
#1 in Silicon Design & Verification
The world’s #1 electronic design automation tools and services
Broadest Portfolio of Silicon IP
#1 in interface, analog, embedded memory, and physical IP
Leader in Software Security & Quality
Leader in Gartner Magic Quadrant for appsec testing and in Forrester Wave for software composition analysis
- Synopsys Polaris Software Integrity Platform is a new offering that provides tracking of vulnerabilities and metrics across SDLC phases. It interfaces with all Synopsys tools, as well as the build system.
- Seeker continues to be one of the most broadly adopted IAST solutions, with good SDLC integration. Synopsys has an agent-only IAST for Seeker that does not require an inducer. This supports the passive testing model offered by some IAST competitors.
- The Code Sight plug-in is a good fit for DevOps shops, because it provides strong integration with IDEs to provide a SAST spell-checker early in the development phase. The Code Sight plug-in leverages the same analysis engine as Coverity.
- Synopsys offers a comprehensive set of AST offerings suitable for a range of use cases and differentiates by providing a variety of fuzzing capabilities (input fuzzing, protocol, etc.) delivered via Defensics, which is an unusual and often overlooked functionality that can complement AST initiatives.
- Synopsys is well-positioned in the Internet of Things (IoT) AST space, where it supports a broad range of protocols, such as XMPP, MQTT, CoAP and AMQP (via Defensics).
- Synopsys Coverity supports fewer languages than major SAST competitors, lacking, for example, Go and Kotlin (although there are plans to add these). Gartner client feedback indicates that the vulnerability clarification and fix recommendation is limited, compared with some of the competitors.
- Synopsys continues to work on better integration and consolidation to offer a unified platform desired by customers. Although there has been a lot of progress, work remains in this area — for example, adding Seeker and Black Duck to the Polaris Platform.
- Gartner clients from SMBs have expressed that, despite interest in the vendor’s solutions, the price is often outside their budgets, especially for nascent programs, leading them to seek less-costly alternatives.
- Synopsys does not offer a DAST on-premises product or an automated DAST offering, only DAST as a managed service. The vendor’s DAST services have not been as competitive or widely adopted as those offered by many of its competitors.