ShiftLeft Launches Static Source Code Analysis Product to Enable Development Teams to Identify Vulnerabilities at the Speed of DevOps
ShiftLeft™ Inc., an innovator in application security, today announced the release of its stand-alone source code analysis product. The ShiftLeft Static Application Security Testing (SAST) product achieved a 75% score on the Open Web Application Security Project (OWASP) Benchmark for Security Automation, Version 1.2. Not only is it the highest SAST score ever recorded, but it is also nearly three times the commercial average score of 26% [https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html].
"Security has always been paramount, but traditional code analysis tools didn’t integrate into our CI/CD pipeline, created too many false positives and were just too slow,” said Harjot Gill, General Manager of Nutanix Epoch. “The accuracy and speed of ShiftLeft’s SAST enables Nutanix Epoch to automatically secure every release without slowing down new feature development.”
The software development life cycle (SDLC) has undergone dramatic changes that application security hasn’t kept up with. “ShiftLeft’s unique approach to analyzing source code allows us to understand software deeply, positioning us as a leader in application security focused on protecting the very source of software-driven innovation: applications. While the SDLC has achieved massive efficiencies from DevOps, cloud adoption, microservices architectures, containerization, etc., application security has been largely stagnant,” said Manish Gupta, ShiftLeft’s CEO and co-founder. “The legacy application security tools force customers to choose between innovation and security. Innovation is prioritized over security, and the resultant insecurity is clear via the constant data breach headlines.”
ShiftLeft’s SAST technology is fundamentally different. “Our approach is based on semantic graphing,” said Dr. Fabian Yamaguchi, ShiftLeft’s Chief Scientist. “We create one multi-layered graph that summarizes code on various levels of abstraction. This enables ShiftLeft to understand the context of what the application fundamentally is and is not supposed to do. From this basis, it becomes much easier to identify deviations as violations or vulnerabilities. In particular, this is critical for identifying complex vulnerabilities that are dependent on a series of conditions across various components that make up the application—for example, a third party SDK that is vulnerable to a deserialization attack when used in conjunction with a certain version of a library that can be found in either programming language or framework. Only by understanding how the components interact with each other can these sophisticated vulnerabilities be easily identified.”
“Furthermore, we’re able to understand abstract information layers instead of merely low-level data flows. So for example, instead of just knowing that code prints data, we also know sources, transforms, sinks, and protocols. Hence, identifying a database sending unfiltered data to http becomes much easier to flag as a reflected cross-site scripting vulnerability.”
ShiftLeft™ Inc., is an innovator in application-specific cloud security, delivering the industry’s first fully automated Security-as-a-Service (SECaaS) solution that understands the unique security needs of each version of each application and creates custom security and threat detection for it. With ShiftLeft, DevOps can make threat detection part of their CI/CD process. ShiftLeft’s approach allows teams to both protect their applications immediately and enhance the security posture of their code. The company was founded by a team with extensive backgrounds in security and cloud infrastructure who were early innovators of technologies such as sandbox, Next Generation Firewall, Next generation Electronic Payment network and Fraud Modeling, and several open source initiatives. Headquartered in Santa Clara, Calif., ShiftLeft is backed by Bain Capital Ventures and Mayfield. For more information, see https://www.shiftleft.io/.