Synopsys is bringing together its software integrity assets in a new offering aimed at helping organizations improve code quality, security and assurance.
The Polaris Software Integrity Platform is being formally announced by Synopsys on Feb. 25, with the company planning on showcasing the new technology at the RSA Conference in San Francisco, which runs from March 4-8. With Polaris, Synopsys is bringing together multiple technologies and product lines it already has into an integrated offering to help organizations with the entire developer and operations workflow, identifying code defects and security issues as well as providing risk reporting capabilities.
“Polaris is really more than the sum of its parts, though under the hood it has the Coverity, Black Duck and Seeker engines,” Andreas Kuehlmann, general manager of the Synopsys Software Integrity Group, told eWEEK. “What we are working on now is synergy between the different technologies.”
Synopsys has been growing its Software Integrity Group portfolio over the last five years with multiple acquisitions. Back in March 2014, Synopsys acquired static code analysis vendor Coverity and has steadily improved the technology in the years since then. In May 2015, Synopsys acquired the Seeker interactive application security testing (IAST) technology from Quotium. In November 2016, Synopsys acquired privately held security companies Cigital and Codiscope. In November 2017, Synopsys acquired Black Duck Software for $565 million, providing software composition analysis capabilities that are used to help organizations understand and secure applications.
Kuehlmann said that in Polaris the different software integrity technologies are brought together with a uniform reporting and user experience. He explained that the integration will, for example, enable Coverity static analysis technology to inform the Black Duck engine if there is a vulnerability in a piece of code and if that vulnerability can be exploited.
“Part of the strategy is really that the different technologies help each other,” Kuehlmann said.
Overall, Kuehlmann said Polaris is all about helping organizations improve the entire software development lifecycle. That begins at the IDE (Integrated Development Environment) level where developers are coding, and includes the CI/CD (continuous integration/ continuous deployment) DevOps workflow as well as staging and product environments.
How Polaris Works
Polaris consists of several components, with a central server at the core. Kuehlmann explained that the Polaris central server plugs into a CI/CD workflow such that it is an integrated part of the process every time a developer triggers a build or pushes something from a staging environment into production.
Another core element of Polaris is the Code Sight IDE plugin that integrates with a developer’s coding workflow in an interactive and integrated approach.
“The moment you save the file in the IDE, Coverity kicks off in the background and populates your screen with anything it finds,” he said. “The outcome is that a developer can actually fix the majority of the defects earlier in the process when they are coding.”
Consolidated Risk Reporting
With the integrated backend technologies for different types of software analysis, Polaris also enables consolidated risk reporting.
“What a risk-based approach really means is you need to find a way to holistically look at your application portfolio and be able to prioritize the different findings and among the different applications,” Kuehlmann said.
Kuehlmann explained that Polaris provides an integrated view for risk from its own technologies, and is also set to be open to other integrations to provide a broader viewpoint. He said that the plan is to enable Polaris to be an open platform that will be able to integrate with multiple components.
“We see Polaris as an open platform that not only uses our technology and can integrate with other technologies, but also as a platform where we look at security as well as quality, service and compliance,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.