Synopsys - Coverity
Coverity is a Static Application Security Testing (SAST) service that finds Security vulnerabilities in a wide range of languages and Infrastructure as Code (IaC) technologies
Features
- Test without disrupting development
- Arm developers with remediation guidance
- Gain breadth, depth, speed, and scale
- Customize analysis for corporate requirements and industry standards
- Implement a solution customized to your organization
Benefits
- Better manage security risks with open source within your code
- Understand what open source is in your code
- Better manage operational risks with open source within your code
- Better manage licensing risks with open source within your code
- Understand where Open Source code is located
- Understand what open source security/operational and licensing risks are present
Pricing
£1,846.56 a user a year
- Free trial available
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at psitq@softcat.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 13
Service ID
2 6 2 1 6 8 6 6 5 6 7 8 0 7 3
Contact
Softcat Limited
Charles Harrison
Telephone: 01628 403403
Email: psitq@softcat.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
-
- Public cloud
- Private cloud
- Hybrid cloud
- Service constraints
- No
- System requirements
- Please contact
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Synopsys has a set menu of response times for the support of it's products. https://www.synopsys.com/company/legal/software-integrity/product-license-v2016-2.html
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- All support levels are documented here: https://www.synopsys.com/software-integrity/support/sca-support-plans.html
- Support available to third parties
- No
Onboarding and offboarding
- Getting started
- Synopsys will help new customers with an implementation plan that includes Onsite (if needed), on phone/web and also full self paced web training.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- User would generate reports of the data to extract data at the end of the contract.
- End-of-contract process
- At the end of the contract the software will remain running and installed but will not be able to be accessed as the registration key will be inactive.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- Yes
- Compatible operating systems
-
- Linux or Unix
- MacOS
- Windows
- Other
- Designed for use on mobile devices
- No
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
-
All administration operations available through the gui are can be accessed via a REST API.
Information on vulnerabilities can also be extracted via a REST API to support integration with external tools - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- ODF
- API sandbox or test environment
- No
- Customisation available
- Yes
- Description of customisation
-
Customisation of generated reports can be done (i.e. customer logs).
Coverity provides many options to tune performance with configuration
Scaling
- Independence of resources
-
When the service is containerised and therefore has scalability to support many different users at the same time.
If it is not container based the service is size according to the number of user and size of base code that will be scanned.
Analytics
- Service usage metrics
- No
Resellers
- Supplier type
- Reseller providing extra support
- Organisation whose services are being resold
- Synopsys
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- European Economic Area (EEA)
- Other locations
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Encryption of all physical media
- Other
- Other data at rest protection approach
- Data at rest for SaaS offering is encrypted using full storage encryption on Google Cloud Platform. For Private Cloud or Air Gapped solutions, encryption at rest is at the customers discretion
- Data sanitisation process
- No
- Equipment disposal approach
- In-house destruction process
Data importing and exporting
- Data export approach
- Scan results can be exported via the gui or API.
- Data export formats
-
- CSV
- Other
- Other data export formats
-
- PDF or through the reporting database.
- JSON
- Data import formats
- Other
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- There are different SLA's for different parts fo the product, we would be happy to supply them as needed.
- Approach to resilience
- The data centre is hosted by a 3rd party and is certified. There is are physical and technology restrictions on it to prevent access to the servers. These include badging, firewalls and many other methods. More details are available upon request.
- Outage reporting
- Outages are reporting in email and on the public customer forum
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- Public key authentication (including by TLS client certificate)
- Other
- Other user authentication
- Managed by customer for example their own SSO/MFA/LDAP
- Access restrictions in management interfaces and support channels
- All management dashbaords and interfaces are controlled by role based access which is either manually assigned or is associetd with LDAP groups.
- Access restriction testing frequency
- At least once a year
- Management access authentication
- 2-factor authentication
Audit information for users
- Access to user activity audit information
- No audit information available
- Access to supplier activity audit information
- No audit information available
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
-
SOC 2 Type II
Please see our security commitments: https://www.synopsys.com/company/legal/software-integrity/security-commitments.html - Information security policies and processes
-
In the Synopsys SIG Product Security Program, we’re obsessed with asking the question “What if?” We
strive to understand exactly what risks we’re exposed to. Because our approach considers every phase
in the life cycle of our products, we can address security from every angle. Every person in SIG feels
connected to this mission, and that gets baked into everything we do.
Our innovative tools offer advanced protection against vulnerabilities. And we’re uniquely positioned
to provide these products built with security in mind from the start because we use the entire suite of
Synopsys security tools and services. In fact, Synopsys was positioned as having the strongest offering
in the 2017 Forrester Wave for Static Application Security Testing, and in 2018 we were a Gartner Magic
Quadrant leader in application security testing. https://tinyurl.com/SIG-product-security
In addition to our security commitments above, please see our Data Privacy and Protection Statement: https://www.synopsys.com/content/dam/synopsys/company/about/legal/synopsys-data-privacy-protection-statement-17dec2021.pdf
Please also see our Security Requirements for Vendors: https://www.synopsys.com/company/legal/info-security.html
and our Code of Ethics: https://www.synopsys.com/content/dam/synopsys/company/corporate-governance/code-of-ethics-final-04082021.pdf
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- All changes are requested and logged in JIRA & other bug tracking systems and approved by management before any change can be made.Part of the approval process is approval by a securoty architect.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- Vulnerabilties are discovered using a number of 3rd party software packages, both commercail and Open Source. The vulnerabilities are then ranked and based on the level of risk and how critical they are, they are remediated within a specified time period. For example, zero day vulns are fixed same day.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- Synopsys, uses NextGen Firewall by Palo Alto Netwrorks with IDS/IPS to identify potentail compromises and respond based upon how critcal the threat is.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- All incidents are managed through JIRA ticketign system to guive a full audit history for each incident.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
https://www.synopsys.com/company/corporate-social-responsibility/environment.html - Equal opportunity
-
Equal opportunity
https://www.synopsys.com/careers/inclusion-diversity.html#present
Pricing
- Price
- £1,846.56 a user a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- There is a fully functional limited time offer available when engaged with Black Duck by Synopsys
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at psitq@softcat.com.
Tell them what format you need. It will help if you say what assistive technology you use.