The software development life cycle (SDLC) is becoming faster and more automated. Traditional Application Security is slow and is being left out of the modern SDLC. ShiftLeft Inspect is a static source code analysis tool (SAST) that is fast and comprehensive. It integrates directly into DevOps pipelines via pull request, commit (Git, BitBucket, etc.), or build process (Jenkins, TravisCI, etc.), and it can analyze up to 500,000 lines of code in under 10 minutes.
The speed of analysis means developers can insert security into fast and modern SDLCs without slowing themselves down. Furthermore, rapid security feedback enables developers to fix vulnerabilities faster, because they don’t have to switch context and circle back to code written hours or days ago.
ShiftLeft Inspect analyzes your entire application, including custom code, open source libraries, and commercial SDKs. ShiftLeft can identify tricky contextual vulnerabilities, such as multi-stage deserialization vulnerability, which rely on how software components interact with each other. Inspect identifies vulnerabilities in open source libraries just as easily as in custom code. Inspect also understands the context of the application, which enables it to go the extra step of confirming whether your application is leveraging the vulnerable open source library in an unsafe manner.
ShiftLeft automatically identifies sensitive variables in source code using industry-specific natural language processing (NLP) and machine learning. This enables ShiftLeft’s CPG to map definitively the exact flow of critical variables across sources, transforms, and sinks. Organizations using non-standard variable naming conventions can simply edit the critical data dictionary to customize it to their environment.
Managing the compliance requirements of PCI-DSS, GLBA, HIPAA, FISMA, etc. in fast-paced CI/CD environments is challenging. New privacy regulations, such as GDPR and the upcoming California Consumer Privacy Act of 2018 (AB 375), have significantly expanded the definition of which types of data must be protected. Combined with the increasing complexity of how applications are built (microservices, open source, SDKs, and APIs), compliance of your deployment or compliance of your infrastructure is becoming more and more difficult.
ShiftLeft automatically identifies critical data and maps its flows (sources, transforms, and sinks) in development and production. Data compliance violations are easily discovered during development and can be fixed before they result in heavy fines.
ShiftLeft integrates with all the tools you need to streamline application security, whether they’re a part of the SDLC or protecting the application in runtime. Specifically, ShiftLeft integrates with bug-tracking tools, CI and CD tools, code repositories, and SIEMs.
The key complaints from developers about Application Security are:
ShiftLeft enables Application Security and Software Development Teams to establish meaningful mutual SLAs that align with each team’s goals and incentives. By definitively confirming vulnerabilities, Application Security Teams never have to ask Development Teams to waste time on false positives. ShiftLeft also protects the application in production automatically from any vulnerabilities discovered in development, enabling Application Security to be more efficient and giving time to developers to focus on releasing functionality to win customers.
Both Application Security and Development can work collaboratively to enhance the security position of the organization, one application at a time. Nobody is forced to choose between releasing fast and security—everyone can have both!