{"id":36562,"date":"2022-06-07T04:53:00","date_gmt":"2022-06-07T04:53:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36562"},"modified":"2022-06-07T04:53:00","modified_gmt":"2022-06-07T04:53:00","slug":"software-house-mega-achieves-holistic-saas-security-with-synopsys","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36562","title":{"rendered":"Software house Mega achieves holistic SaaS security with Synopsys"},"content":{"rendered":"
<\/div>\n

With over five million lines of code and 2,000 open source libraries underpinning its flagship Hopex software-as-a-service<\/a> (SaaS) platform, French software house Mega International<\/a> has been working with security supplier Synopsys to reassure its developers and customers that its product\u2019s code is free from dangerous cyber security vulnerabilities<\/a>.<\/p>\n

Mega is a specialist in helping organisations manage their plan and build upon their efforts around IT inventory, technical obsolescence and IT strategy to manage governance, risk and compliance, along with business processes and data governance.<\/p>\n

Because many of Mega\u2019s customers work in heavily regulated industries such as financial services, ensuring the security of the code contained within the Hopex platform<\/a> is of critical importance, and many years of enhancements and refactoring meant this assurance was becoming harder and harder to guarantee.<\/p>\n

A few years ago, says Philippe Bobo, head of research and development at Mega, the launch of the firm\u2019s SaaS activities caused an inflection point for the firm.<\/p>\n

\u201cWe hadn\u2019t had big security problems so far, but there was definitely something which was pushing that,\u201d he tells Computer Weekly. \u201cWhen we launched our SaaS activity, we needed to be very clear and very convincing to our customers to show that their data in our datacentres was safe and secure, more than ever.\u201d<\/p>\n

This led Mega to Synopsys\u2019s Coverity<\/a> static application security testing<\/a> (SAST) and Black Duck<\/a> software composition analysis<\/a> (SCA) products.<\/p>\n

\u201cWe thought we were good, but we had no way to quantify that,\u201d says Bobo. \u201cAt that time, we decided to acquire Coverity, in order to measure ourselves \u2013 to reassure ourselves, and also to be able to provide quantified proof to people who wanted to buy our services and be sure their data is safe.\u201d<\/p>\n

A further priority was to assure secure management of the growing number of external libraries incorporated within Hopex\u2019s code \u2013 not only those that Hopex itself calls on, but libraries that those libraries may in turn call. \u201cThe dynamic hierarchy of dependencies can quickly become untraceable without a comprehensive and continually updated software bill of materials<\/a> (SBOM),\u201d says Bobo.<\/p>\n

\n

\u201cWhen we launched our SaaS activity, we needed to be very clear and very convincing to our customers to show that their data in our datacentres was safe and secure, more than ever\u201d <\/figure>
Philippe Bobo, Mega<\/strong> <\/figcaption><\/i> <\/p>\n<\/blockquote>\n

Finally, Mega also needed to be able to demonstrate to its SOC 2 auditors<\/a> that Hopex was securely managing data to protect the interests and privacy of its clients.<\/p>\n

\u201cSynopsys demonstrated a thorough understanding of our business, and particularly of the challenges [and] the large number of software assets, legacy code and compatibility issues that a long-time quadrant leader like Mega has to deal with,\u201d says Bobo. \u201cThis understanding made the implementation very straightforward.\u201d<\/p>\n

Bobo continues: \u201cCoverity had the widest coverage in terms of coding languages, as well as a sharp approach to C\/C++, with a highly satisfactory exception mechanism that would let us build a progressive picture of our code right from scratch, without being snowed under with a ton of alerts. This proved a key factor, as reliability was our main goal here.<\/p>\n

\u201cBlack Duck is the spearhead of our SBOM initiative. Black Duck allowed us to quickly launch the exploration process and help us set alert priorities for a codebase that was becoming more and more complex. Time-to-value and completeness were our main goals here. Synopsys provided a very efficient and reactive consultant to help get us launched and to answer questions, and we became autonomous very quickly.\u201d<\/p>\n

\n

<\/i>40,000 bugs<\/h3>\n

As anticipated, when Coverity and Black Duck were put to work in Hopex, between them they caught myriad forgotten or overlooked weaknesses \u2013 in many cases, weaknesses that had, unbeknownst to anybody, been affecting the software\u2019s stability and even causing outages.<\/p>\n

According to Bobo, Coverity has detected almost 40,000 defect instances in the past five years, while Black Duck has uncovered more than 1,700 external open source components issues and 70 different licensing issues.<\/p>\n

Fortunately, very few of these problems turned out to be an imminent threat to either Mega\u2019s security, or that of its customers, says Bobo.<\/p>\n

\n

\u201cIt\u2019s a real comfort for the developers, and to our customers, to be able to say bugs are detected the day they are created, and fixed the next day\u201d <\/figure>
Philippe Bobo, Mega<\/strong> <\/figcaption><\/i> <\/p>\n<\/blockquote>\n

In the intervening period since Mega first engaged Synopsys, it is no surprise to learn that the rate of discovery has slowed markedly as issues in Hopex\u2019s code have mostly been weeded out. As a result, the pace of the project has slowed, and the focus has shifted from remediation to what one might term continuous improvement \u2013 as the platform develops further, its developers can have confidence that the code they write is secure.<\/p>\n

\u201cIt\u2019s a real comfort for the developers, and to our customers, to be able to say bugs are detected the day they are created, and fixed the next day,\u201d says Bobo. \u201cWhen we release any kind of release of our software, should it be a big version, a smaller update, a hotfix or whatever, everything is scanned and guaranteed with zero defects from a best practice point of view.\u201d<\/p>\n

Mega has realised additional benefits in terms of how its developers go about code \u201chousekeeping\u201d in general. Rather than fixing defects in legacy code that is no longer being used, they now take the opportunity to pare down the code, and rather than including new open source components that need legal approval for a new licensing agreement, they try to make more efficient use of existing dependencies in third-party components, Bobo explains.<\/p>\n

\u201cWe would recommend Synopsys as a provider of a comprehensive set of holistic, complementary application security solutions, backed by a pool of sharp consultants who understand globally the industries they work with, as well as an organisation\u2019s unique processes. For a B2B global organisation like Mega, it\u2019s a must,\u201d he concludes.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

With over five million lines of code and 2,000 open source libraries underpinning its flagship Hopex software-as-a-service (SaaS) platform, French software house Mega International has been working with security supplier Synopsys to reassure its developers and customers that its product\u2019s code is free from dangerous cyber security vulnerabilities. Mega is a specialist in helping organisations […]<\/p>\n","protected":false},"author":1,"featured_media":36563,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36562","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36562"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36562\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36563"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}