img

Synopsys


  Based in Mountain View, California, Synopsys is a global company with offerings in the software and semiconductor areas. Synopsys has been executing a strategy to expand its AST portfolio during the past few years, adding Cigital (App Sec Services), Quotium’s Seeker IAST, Codenomicon (SCA), Protecode (SCA), Coverity (SAST) and Black Duck (SCA). This merger and acquisition (M&A) push has provided it with good coverage of the secure SDLC market, through products and services that it has been attempting to integrate into a complete, seamless offering.

  During the past 12 months, the vendor has introduced a new platform, Polaris, which is intended to be the central management console for all Synopsys AST products. The SAST solution was the first to be fully integrated into Polaris, and the vendor intends to integrate the rest of the platform throughout 2019. The vendor also introduced a new lightweight IDE plug-in (initially for the IntelliJ IDE with support for Eclipse and Visual Studio IDEs introduced in February 2019), Code Sight, meant to run full SAST analysis by continuously scanning in the background while a developer is coding. Synopsys should be considered by organizations looking for a complete AST offering that want variety in AST technologies, assessment depth, deployment options and licensing.

#1 in Silicon Design & Verification

The world’s #1 electronic design automation tools and services

Broadest Portfolio of Silicon IP

#1 in interface, analog, embedded memory, and physical IP

Leader in Software Security & Quality

Leader in Gartner Magic Quadrant for appsec testing and in Forrester Wave for software composition analysis

Strengths

  • Synopsys Polaris Software Integrity Platform is a new offering that provides tracking of vulnerabilities and metrics across SDLC phases. It interfaces with all Synopsys tools, as well as the build system.
  • Seeker continues to be one of the most broadly adopted IAST solutions, with good SDLC integration. Synopsys has an agent-only IAST for Seeker that does not require an inducer. This supports the passive testing model offered by some IAST competitors.
  • The Code Sight plug-in is a good fit for DevOps shops, because it provides strong integration with IDEs to provide a SAST spell-checker early in the development phase. The Code Sight plug-in leverages the same analysis engine as Coverity.
  • Synopsys offers a comprehensive set of AST offerings suitable for a range of use cases and differentiates by providing a variety of fuzzing capabilities (input fuzzing, protocol, etc.) delivered via Defensics, which is an unusual and often overlooked functionality that can complement AST initiatives.
  • Synopsys is well-positioned in the Internet of Things (IoT) AST space, where it supports a broad range of protocols, such as XMPP, MQTT, CoAP and AMQP (via Defensics).

Cautions

  • Synopsys Coverity supports fewer languages than major SAST competitors, lacking, for example, Go and Kotlin (although there are plans to add these). Gartner client feedback indicates that the vulnerability clarification and fix recommendation is limited, compared with some of the competitors.
  • Synopsys continues to work on better integration and consolidation to offer a unified platform desired by customers. Although there has been a lot of progress, work remains in this area — for example, adding Seeker and Black Duck to the Polaris Platform.
  • Gartner clients from SMBs have expressed that, despite interest in the vendor’s solutions, the price is often outside their budgets, especially for nascent programs, leading them to seek less-costly alternatives.
  • Synopsys does not offer a DAST on-premises product or an automated DAST offering, only DAST as a managed service. The vendor’s DAST services have not been as competitive or widely adopted as those offered by many of its competitors.


line