The software development life cycle (SDLC) is becoming faster and more automated. Application security teams must keep up or risk being left behind. ShiftLeft Inspect is the fastest and most comprehensive static application security testing (SAST) product in the industry. It integrates directly into DevOps pipelines via pull request, commit, or build, and it can analyze 500,000 lines of code in under 10 minutes. This enables AppSec teams to insert security into fast and modern SDLCs without slowing down innovation.
ShiftLeft’s Code Property Graph (CPG) is a fundamentally new and more effective way to analyze source code. The CPG leverages semantic graphing to create a single multi-layered graph that summarizes code on various levels of abstraction, including abstract syntax trees, control flow graphs, call graphs, program dependency graphs, and directory structures, to name a few. Rules to identify vulnerabilities—akin to firewall rules—are then used to traverse the graph to identify vulnerabilities accurately.
ShiftLeft analyzes your entire application, regardless of whether it is custom code, open source libraries, or commercial SDKs. ShiftLeft can identify vulnerabilities in open source libraries just as easily as within custom code. ShiftLeft’s CPG understands the context of the application, which enables the CPG to go the extra step of confirming whether the application is leveraging the vulnerable open source library in an exploitable manner.
By combining ShiftLeft’s application microagent with code analysis, analytics from test or production environments can be used to prioritize vulnerabilities further. A static analysis of an application cannot answer whether a vulnerability is in a code path that becomes exercised in production or determine which of the two vulnerable code paths sees more traffic.
Combining ShiftLeft Protect addresses these shortcomings by combining code analysis with runtime protection.
The adoption of microservices, open source libraries, commercial SDKs, and external APIs has dramatically increased the complexity of how data flows into, across, and out of modern applications. The results are regular headlines of major organizations accidentally leaking unencrypted critical data through external APIs, logging services, and/or cloud infrastructure.
ShiftLeft automatically identifies critical variables in source code using industry-specific natural language processing (NLP). This enables the CPG to map definitively the exact flow of critical variables across sources, transforms, and sinks. Thus, critical data violations are easily identified in development, before being pushed to production. Organizations using non-standard variable naming conventions can edit the critical data dictionary to customize it to their environments.
The ShiftLeft solution is designed to protect applications automatically at the speed of DevOps. During the development process, ShiftLeft identifies vulnerabilities and potential data leakage scenarios. These are presented to developers to fix, who will typically focus on a subset of the issues identified, depending on the organization’s priorities. The ShiftLeft solution then creates a policy for the ShiftLeft application microagent to protect the residual issues in production.
The process from analyzing the new build to enforcing a new policy in production is fully automated, and it takes just minutes.
Application security has traditionally been manual, time-intensive, and computationally expensive. In development, false positives from code analysis, writing QA tests, and patching require many hours from specialized talent. In production, false positives waste time and/or block legitimate traffic. Inline decryption/re-encryption required to inspect encrypted traffic is computationally expensive and adds to the overall complexity.
ShiftLeft significantly reduces these operational inefficiencies by eliminating false positives and automatically creating security profiles that protect the application in runtime. Vulnerabilities are confirmed via test or production traffic, so developers do not waste time fixing false positives. Confirmed vulnerabilities are always delivered to developers with their exact line(s) of code, which further decreases the mean time to repair (MTTR).
Lastly, the computational resources required in production are minimal because of the accuracy of the ShiftLeft solution. ShiftLeft’s application microagent is informed by the security policy exactly how and where the application is vulnerable, so it is extremely precise in how it protects the application. There is no need to decrypt and re-encrypt production traffic because the ShiftLeft microagent sees what the application sees.
Managing the compliance requirements of PCI-DSS, GLBA, HIPAA, FISMA, etc. in fast-paced CI/CD environments is challenging. New privacy regulations, such as GDPR and the upcoming California Consumer Privacy Protection act of 2018 (AB 375), have significantly expanded the definition of which types of data must be protected. Combined with the increasing complexity of how applications are built (microservices, open source, SDKs, and APIs), deployed compliance is becoming more and more difficult.
ShiftLeft automatically identifies critical data and maps their flows (sources, transforms, and sinks) in development and production. Data compliance violations are discovered easily during development and can be fixed before they result in heavy fines.
Security is everyone’s responsibility, but sometimes this means nobody takes ownership. ShiftLeft enables Application Security and Software Development Teams to establish meaningful mutual SLAs that align with each team’s goals and incentives. By definitively confirming vulnerabilities, Application Security Teams never have to ask Development Teams to waste time on false positives. ShiftLeft also automatically protects the application in production from any vulnerabilities discovered in development, enabling Application Security to be more efficient.
Both Application Security and Development can work collaboratively to enhance the security position of the organization, one application at a time.