WhiteHat brings new dimension to DAST capabilities at Synopsys

Today, Synopsys closed the acquisition of WhiteHat Security, an application security pioneer and market-segment leading provider of dynamic application security testing (DAST) solutions. Jason Schmitt, general manager of the Synopsys Software Integrity Group, provided some insights into how WhiteHat™ Dynamic will fit into the Synopsys portfolio in an earlier blog post. Today I would like to concentrate on what it means to our customers.

What’s in it for me?

According to the Forrester report “The State of Application Security, 2022,” applications are the most common attack vector, with “web application exploits” the third-most-common attack. Accordingly, it is imperative that organizations test their running web applications in the same way that attackers probe them, to identify and eliminate vulnerabilities before they are discovered and exploited by outside agents.

DAST is certainly not a new technology, and Synopsys already offers DAST testing to our customers. But WhiteHat brings an entirely new dimension to our DAST capabilities. Specifically, it brings the ability to safely scan production applications without the need for a separate test environment. This ensures that what is exposed to hackers has been tested as deployed.

This is a critical capability, as the primary objective of DAST is to test running web applications for vulnerabilities such as SQL injection and cross-site scripting. These common vulnerabilities that are exploited in production applications do not exist in source code; they arise only after deployed into production. This makes DAST an essential component of any application security testing program.

There is often confusion regarding the use of static application security testing (SAST) and software composition analysis (SCA) and the need for DAST. SAST and SCA test the application code and therefore discover a different set of vulnerabilities than DAST due to the fundamental differences in their approach. As such, most organizations utilize all three techniques at various points in the development process.

Historically, organizations have been reluctant to run DAST tests against production applications due to fears of data corruption from the DAST testing processes or impact to application performance. Instead, organizations often test the application in a production-like environment. But this opens the door for discrepancies between the testing environment and the production environment, which creates the potential for vulnerabilities to go undetected. The production testing capabilities of WhiteHat effectively eliminate this issues, empowering organizations to test their production systems.

WhiteHat Dynamic capabilities

WhiteHat Dynamic delivers the essential elements that make DAST testing an effective component of any testing regime.

• Cloud-based. The SaaS delivery of WhiteHat DAST simplifies implementation, providing the agility to scale fast as security testing needs evolve.
• Continuous scanning. WhiteHat Dynamic supports continuous scanning that detects and adapts to code changes, ensuring that new functionality is automatically tested. This means that WhiteHat Dynamic keeps pace with the speed of your development processes and ensures that testing is consistently applied.
• Accurate results. WhiteHat Dynamic utilizes AI-enabled verification that dramatically reduces false positives while minimizing vulnerability triage time, ensuring that developers are focused on the vulnerabilities with the highest risk.
• Remediation guidance. WhiteHat Dynamic provides personalized remediation guidance from a team of application security experts, ensuring that identified vulnerabilities can be quickly and confidently addressed. This delivers a prioritized list of vulnerabilities and the guidance to fix them at business speed.
• Risk scoring. The WhiteHat Security Index provides a single score that enables you to gauge the overall status of web application security.
• Headless operations. Many organizations have built dashboards and other systems to manage application security testing. WhiteHat Dynamic supports these implementations by providing a rich set of APIs that enable tests to be scheduled and results to be captured programmatically. This ensures that WhiteHat Dynamic can be readily integrated into security and DevOps processes, and findings can be assimilated into organizational systems.

Rounding out the portfolio

Ten years ago SAST and DAST were the primary testing methods. They were the non-negotiables that every organization used to test their software. The rapid growth of open source quickly elevated SCA into the conversation, and now SAST, DAST, and SCA make up the “big three.”

With the acquisition of WhiteHat, Synopsys now offers SAST, DAST, and SCA solutions that are considered market leaders in their respective categories. There are other vendors that offer this, but often they concentrate on only one of the big three, and offer the other two as a side dish. I would submit that Synopsys now offers SAST, DAST and SCA as three main courses.