Scott K. Johnson, Synopsys: “cybersecurity is still about people – we are all human, and humans make mistakes”

Although the COVID-19 pandemic is old news, threat actors are still exploiting new vulnerabilities that emerged with the hybrid work environment.

Remote work meant people using their insecure personal devices and networks to do their job. Fraud, ransomware, identity theft – companies are still fighting many of such threats to this day.

But traditional security measures that regular users often rely on aren’t the optimal choice for enterprises. Businesses are in need of more advanced and complex security measures for the whole infrastructure, including for AppSec (application security).

For this reason, we invited Scott K. Johnson, the Senior Director of Product Management at the Synopsys Software Integrity Group – a company that specializes in innovative technologies and application security solutions. Johnson shared his views on cybersecurity and threat prevention methods, and shed light on AppSec.

What has your journey been like? How did the idea of Synopsys come about?

I started working in the cybersecurity industry in 2002 at a company called Internet Security Systems. We were one of the initial intrusion prevention systems (IPS) and network scanning solutions providers. From Bagle Worm to Nimda, there was never any rest when it came to zero days and cyber threats.

I decided early on that cybersecurity was the place for me. The risks and threats have only become more critical to manage since then. Whether network, data, or applications, the risks are all intertwined today where lateral movement makes it critical to quickly identify and remediate issues. That has kept my interest in application security for almost a decade now.

From my role as general manager at Micro Focus Fortify to leading the Synopsys Software Integrity Group’s product management team (my current role), it has truly been a profound journey helping create solutions from SaaS to on-premises solutions that make a tangible difference with some of the world’s leading enterprises. And the journey seems to begin anew every couple of years with new variants and threats to manage (as we’ve recently seen with the emergence of the Log4Shell vulnerability).

Regarding Synopsys, the credit belongs to Chi-Foon Chan, the Synopsys co-CEO who had the foresight (back before Coverity was even in the market) to understand how silicon and software were one. He started it all with his vision to help secure the code that is powered by the chips. Now here we are with an incredible portfolio that leads the market in helping companies address their AppSec needs.

Can you introduce us to what you do? What are the main challenges you help navigate?

In my role within the Synopsys Software Integrity Group, I lead product management for our AppSec portfolio covering static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST), and a number of other AppSec sub-sets. This is to help ensure we are creating industry-leading solutions that work to resolve a variety of AppSec problems while also meeting and exceeding the needs of our customers.

A key part of my role is to help orchestrate how we bring our capabilities together to provide holistic AppSec strategies with the speed and scale required to meet today’s modern application development needs. While that means keeping up with the latest languages and frameworks, it also means ensuring innovation around actionability, integration, and the evolving supply chain security needs of the future. This also includes a major focus on SaaS for our solutions to incorporate value-added security testing services which complement our product offerings with consulting and managed services expertise.

The main challenge is the pace of change with the explosion of applications being developed and the speed at which they are being released into production. The challenge thus becomes navigating where we double down on our solutions’ research and development efforts to provide the most value to customers as quickly as possible. Oftentimes, that means applying an incremental and agile approach requiring the right level of planning and customer engagement. It is that engagement that really makes the difference.

What are the most common vulnerabilities nowadays that if overlooked, can lead to serious problems for a business?

What is common is that vulnerabilities, in general, are now common! Most recently, with the Solarwinds and Colonial Pipeline breaches, the impact was both local and global in nature. Taking the Colonial Pipeline scenario as an example, my daughter was driving back to college after a break spent at home. The lines at the gas stations along the way extended out into the street. You know cybersecurity vulnerabilities are hitting home when your daughter is having a hard time getting gas due to the impact.

We continue to see new variations of cross-site scripting (XSS) and SQL injection but with more precision. By precision, I mean that these vulnerabilities – in addition to simply carrying out denial-of-service (DoS) attacks and holding victims for ransom (via ransomware) – are focusing on laterally moving and then lying in wait to be executed.

We must also consider a number of zero-day exploits with Trojan Source, Log4Shell, and Spring4Shell. Trojan Source was particularly wicked because it literally made the code during a code review appear valid. Once the code was compiled, it enabled a hacker to leverage different logic for malicious activity.

Do you think the recent global events altered the way people approach cybersecurity?

I would say that recent global events have raised the level of fear and awareness to a degree in which the people I know at my coffee shop are asking me about it. I would also tell you that I find that to be a good thing. COVID-19 brought increased cyber-focused needs with more remote work and thus a shift in the hackers’ attack vector to include tools like Zoom as well as an increased need for VPN security.

In your opinion, what are some of the worst cybersecurity habits that can lead to not only the company’s but also their customer data being compromised?

Cybersecurity is still about people. We are all human, and humans make mistakes. We, as humans, often develop poor habits when it comes to security and AppSec hygiene. Not updating our passwords, not updating our software, clicking on a link that is suspicious, etc.

Continuing to build security into the processes within our organizations isn’t only a nice-to-have, it’s a hard requirement. You simply have to scan your code early and often. You have to assess your open-source components and update them without compromise. Train your people. Make cybersecurity a team sport, meaning everyone within the organization plays a role – from the CEO down. It has to become part of every company’s culture, whether you are in the business of selling coffee or online services.

Why do you think certain companies are unaware of the risks their software is exposed to?

If they are unaware of at least general cyber and AppSec risks that threaten them, then they probably shouldn’t be in business today. It is inexcusable in today’s global environment to be unaware of security risks in the software that businesses either build or rely on to power their operations. That said, no one is going to know the full extent of their exposure. The way to overcome this is to staff and train your team and take an offensive security stance as an organization. You simply must invest in security and make it part of your business – no matter the size or industry within which you operate. Larger organizations can and should also leverage professional services to obtain a third-party view of your exposure potential and to augment any gaps with internal skill sets. And of course, leverage the tools and capabilities that are available.

What are some of the best practices organizations should follow when developing software or an application?

When it comes to AppSec, it’s all about the three Ps:

  1. Process
  2. People
  3. Products (i.e., tools)

Create security champions within the teams. Train them. Ensure that security is part of their MBOs. And then scan early and scan often.

Additionally, the term ‘shift left’ is overused, in my opinion. Rather, think in terms of best practices that enable developers, AppSec managers, DevOps managers, and executives to be part of the process. From integrated developer environments (IDEs) and repo integration to automated scanning at build, infuse the tools into the process as seamlessly as possible.

Talking about individual users, what security tools do you think should be a part of everyone’s daily lives?

Today’s threats in AppSec really drive a need for tools at each stage of the software development life cycle (SDLC). Using IDEs with fast, actionable insight – from basic quality checks to lightweight SCA and SAST – is a great way to reduce issues at the earliest stage.

SAST remains a stalwart method when it comes to source code vulnerabilities and leveraging data flow to find critical issues. Lots of companies are doing things faster, and so is Synopsys. But you simply cannot find meaningful results without data flow as part of your SAST scanning repertoire.

And with all the open-source vulnerabilities emerging in the headlines these days, SCA is a must for users to determine component risks, license policy violations, and operational exposure.

IAST fits some key use cases in areas where DAST and SAST have coverage gaps, plus there is value in being instrumented into the runtime environment that you just don’t get with any other tool. Of course, DAST does remain a key tool for web applications and for APIs, in particular.

I would add that depending on your industry, such as telecom and automotive, black box fuzz testing is a must. While more targeted, finding protocol-related issues for wireless and autonomous driving systems is rapidly becoming a critical need.

What does the future hold for Synopsys?

Synopsys is well-positioned for the road ahead with the depth and breadth of our portfolio that we will only continue to invest in and make stronger. The evolution of Polaris, our holistic SaaS offering, is something we are enthusiastic and passionate about. The ability to look at the application from each engine’s perspective, from SAST to IAST, plus value-added testing services on-demand, fills an important need in the market. Plus, we just announced that WhiteHat Security is going to become part of Synopsys. This brings one of the DAST pioneers into our family and provides a leading SaaS and services suite of offerings that we know will provide immediate value in the market.

The critically important topic of software supply chain security and how we leverage current and future innovations is also key. Much like DevSecOps became the path for modern development, software supply chain security is going to be a transformational evolution. Our view is that we maintain a focus on securing that evolution from Software Bills of Materials (SBOMs) to component intelligence as well as looking beyond open source.

Fundamentally, we are continuing to accelerate language and framework coverage with speed and depth of results that few can match. There is a lot to look forward to over the next 18 months that will help take organizations of all shapes to the next level of quality, compliance, and security with the deployability and flexibility options enterprises require as they grow, acquire, and expand their organizations.