Africa Studio - stock.adobe.com
With over five million lines of code and 2,000 open source libraries underpinning its flagship Hopex software-as-a-service (SaaS) platform, French software house Mega International has been working with security supplier Synopsys to reassure its developers and customers that its product’s code is free from dangerous cyber security vulnerabilities.
Mega is a specialist in helping organisations manage their plan and build upon their efforts around IT inventory, technical obsolescence and IT strategy to manage governance, risk and compliance, along with business processes and data governance.
Because many of Mega’s customers work in heavily regulated industries such as financial services, ensuring the security of the code contained within the Hopex platform is of critical importance, and many years of enhancements and refactoring meant this assurance was becoming harder and harder to guarantee.
A few years ago, says Philippe Bobo, head of research and development at Mega, the launch of the firm’s SaaS activities caused an inflection point for the firm.
“We hadn’t had big security problems so far, but there was definitely something which was pushing that,” he tells Computer Weekly. “When we launched our SaaS activity, we needed to be very clear and very convincing to our customers to show that their data in our datacentres was safe and secure, more than ever.”
“We thought we were good, but we had no way to quantify that,” says Bobo. “At that time, we decided to acquire Coverity, in order to measure ourselves – to reassure ourselves, and also to be able to provide quantified proof to people who wanted to buy our services and be sure their data is safe.”
A further priority was to assure secure management of the growing number of external libraries incorporated within Hopex’s code – not only those that Hopex itself calls on, but libraries that those libraries may in turn call. “The dynamic hierarchy of dependencies can quickly become untraceable without a comprehensive and continually updated software bill of materials (SBOM),” says Bobo.
Philippe Bobo, Mega
Finally, Mega also needed to be able to demonstrate to its SOC 2 auditors that Hopex was securely managing data to protect the interests and privacy of its clients.
“Synopsys demonstrated a thorough understanding of our business, and particularly of the challenges [and] the large number of software assets, legacy code and compatibility issues that a long-time quadrant leader like Mega has to deal with,” says Bobo. “This understanding made the implementation very straightforward.”
Bobo continues: “Coverity had the widest coverage in terms of coding languages, as well as a sharp approach to C/C++, with a highly satisfactory exception mechanism that would let us build a progressive picture of our code right from scratch, without being snowed under with a ton of alerts. This proved a key factor, as reliability was our main goal here.
“Black Duck is the spearhead of our SBOM initiative. Black Duck allowed us to quickly launch the exploration process and help us set alert priorities for a codebase that was becoming more and more complex. Time-to-value and completeness were our main goals here. Synopsys provided a very efficient and reactive consultant to help get us launched and to answer questions, and we became autonomous very quickly.”
As anticipated, when Coverity and Black Duck were put to work in Hopex, between them they caught myriad forgotten or overlooked weaknesses – in many cases, weaknesses that had, unbeknownst to anybody, been affecting the software’s stability and even causing outages.
According to Bobo, Coverity has detected almost 40,000 defect instances in the past five years, while Black Duck has uncovered more than 1,700 external open source components issues and 70 different licensing issues.
Fortunately, very few of these problems turned out to be an imminent threat to either Mega’s security, or that of its customers, says Bobo.
Philippe Bobo, Mega
In the intervening period since Mega first engaged Synopsys, it is no surprise to learn that the rate of discovery has slowed markedly as issues in Hopex’s code have mostly been weeded out. As a result, the pace of the project has slowed, and the focus has shifted from remediation to what one might term continuous improvement – as the platform develops further, its developers can have confidence that the code they write is secure.
“It’s a real comfort for the developers, and to our customers, to be able to say bugs are detected the day they are created, and fixed the next day,” says Bobo. “When we release any kind of release of our software, should it be a big version, a smaller update, a hotfix or whatever, everything is scanned and guaranteed with zero defects from a best practice point of view.”
Mega has realised additional benefits in terms of how its developers go about code “housekeeping” in general. Rather than fixing defects in legacy code that is no longer being used, they now take the opportunity to pare down the code, and rather than including new open source components that need legal approval for a new licensing agreement, they try to make more efficient use of existing dependencies in third-party components, Bobo explains.
“We would recommend Synopsys as a provider of a comprehensive set of holistic, complementary application security solutions, backed by a pool of sharp consultants who understand globally the industries they work with, as well as an organisation’s unique processes. For a B2B global organisation like Mega, it’s a must,” he concludes.