Last month Sonatype announced the acquisition of MuseDev, an innovative code analysis platform that does three things remarkably well:
- automatically examines code associated with a developer’s pull request
- provides accurate feedback pertaining to code quality and simple security mistakes
- makes it super easy for developers to find and fix critical bugs during code review.
Since the news was announced, we’ve been busy responding to interest from customers, partners, and analysts -- all of them excited to see how software developers and engineering teams can now gain better control of the entire software supply chain; from first-party source code, to third-party open source code, to infrastructure as code, and containerized code.
Further, in light of our partnership with MicroFocus Fortify, we’ve also fielded a few questions about the relationship of MuseDev to enterprise SAST tools. This post provides guidance to easily answer that question.
According to Gartner, Static Application Security Testing (SAST) is a set of technologies designed to analyze application source code, byte code, and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a non-running state. SAST tools are commonly purchased by application security professionals and typically deployed as part of the security and risk management portion of the software development lifecycle.
Muse on the other hand, is an innovative code analysis program for developers that identifies a broad range of performance, reliability, style, and simple security issues. Muse automatically analyzes each pull request, focusing just on issues related to the changed code. Muse then provides super helpful feedback to developers as comments in code review. The result is that Muse helps developers fix more bugs “upstream” so they become better partners to security professionals conducting “downstream” SAST testing.
To achieve coverage across the full spectrum of code issues, Muse integrates its 24 pre-configured code analyzers into GitHub, GitLab, and Bitbucket. Muse analyzers go beyond traditional linting to perform deep code analysis, to surface performance and reliability issues like data races and thread safety violations. Because Muse feedback is delivered during the peer code review portion of the workflow, it’s easy and natural for developers to fix bugs without slowing release velocity. This makes Muse highly complementary to enterprise SAST tools like Fortify that surface a wide breadth of deep security issues that Muse doesn’t provide.
Muse compliments enterprise SAST by:
- Catching Code Quality Issues Outside the Scope of SAST: Muse catches non-security issues, like performance, reliability, and coding style/standards bugs.
- Fixing the Simple Stuff Early, So Teams Can Focus on Complex Issues Later - Muse is used by developers to identify simple security findings prior to sophisticated security static analysis performed by security teams. This helps free up security teams to focus their SAST tools on more complex issues.
- Delivering Results into Security Dashboards With the Muse API, third-party enterprise SAST tools can ingest Muse findings into their platforms to help create a complete picture of what’s happening with a company’s source code at every stage of the development life cycle.
Sonatype’s combination with MuseDev is about one thing: helping developers find and fix a wide variety of bugs with the least amount of effort. When software developers are equipped with the right feedback (code quality and lightweight security issues), delivered in the right place (the native pull request workflow), delivered at the right time (during code review) -- they will fix more bugs “upstream” and deliver higher quality software “downstream” which is a complementary to security teams conducting SAST testing.