ShiftLeft recently launched its Security-as-a-Service solution. Can you provide us a brief overview of the key capabilities of the ShiftLeft service for cloud environments?
MG: ShiftLeft’s mission is to integrate security and compliance into the Continuous Integration/Continuous Deployment (CI/CD) pipeline, thereby bringing the same agility to security that DevOps brought to infrastructure. ShiftLeft protects the software (applications, microservices, workloads) that is resident in the cloud and changing at an unprecedented pace. For every version of every application we extract its Security DNA (all security relevant elements in source code) and informed by the Security DNA create a custom security agent to protect the specific version of the application.
ShiftLeft continuously monitors an application’s runtime environment to verify that behavior in runtime adheres to what the code was written to do. For example, if an application suddenly opens a connection to the internet and there is no reference for such behavior in the application code, then that could be the result of a remote code execution attack and customers are alerted to take action. ShiftLeft detects all vulnerabilities in code (these could include known vulnerabilities that are part of CVE database or unknown vulnerabilities that have not yet been identified). An application-specific policy is created with the knowledge of these vulnerabilities that informs the Microagent to protect the application in runtime against its specific attack surface. The resulting Microagent is not only accurate and high-performant but also identifies the line of code causing an issue in runtime. This significantly reduces the time it takes a developer to fix this issue and helps in collaboration between developers, DevOps, and security teams. The Developers are also given information on the identified vulnerabilities so that they can prioritize and fix the vulnerabilities. The benefit of this approach is to create a virtuous continuous improvement cycle where every time a new release is created, vulnerabilities are identified, developers are informed to create fixes, and a Microagent protects the application armed with the knowledge of the application’s specific attack surface.
How does ShiftLeft protect data in the cloud apps?
MG: With ShiftLeft, customers can visualize the different types of sensitive data (PII data, payment data, user secrets, passwords, infrastructure keys, etc.) propagating through their applications. They are alerted if sensitive data is accidentally leaked or if it is stored incorrectly (e.g., unencrypted). For example, say a developer prints certain credentials in an application for debugging purposes and the application is logging to a third party logging service such as Splunk, SumoLogic, etc. The developer accidentally deploys the application in production without removing the credentials. ShiftLeft can detect when that happens and block the leaking of credentials to the logging service. Customers can also tweak the policy to customize what data elements should be treated sensitive (specific to their application and business requirements).
ShiftLeft also provides DevOps and security teams real-time visibility into inputs and outputs of the application – this includes inbound and outbound network interaction, database I/O, file I/O and others. On every new deployment, ShiftLeft detects any inputs and outputs that are added and displays them in the ShiftLeft dashboard for DevOps and security teams to easily identify untrusted inputs and outputs used by the application without having to understand the source code.
I read on your website about embracing change, can you describe why this is more relevant and important in a cloud environment?
MG: The challenges today in making applications secure in a cloud environment are two-fold.
Most traditional security products (Firewall, Intrusion Detection, Anti-virus, and Web Application Firewall, etc.) were developed for the time when enterprise software was shrink-wrapped and deployed in the data center. The prevailing best practice for such an environment was to deploy multiple layers of security in front of the data center – all of which focus on threats. This approach is ill-suited for cloud-based software, where a company has access neither to the operating system nor to the network of the infrastructure. The only thing that a customer has access to and owns is the application itself. An organization deploying software into the cloud needs to focus on the application, not the operating system and not the network. What is needed is a security solution that evolves with the application to be protected.
As the pace of software development increases and the use of open source software (OSS) and third party libraries becomes more prevalent, more applications are being assembled as opposed to being developed from scratch. Traditional security solutions are ill-suited for such rapid pace of change as they either require humans to write rules or require lengthy periods of time to be tuned to the underlying application. Increased use of OSS and rapid pace of change do not give developers enough time to either read through the documentation or review the code of the OSS libraries they use. This results in contextual vulnerabilities which arise when the application is not adhering to the assumptions of an OSS library and can be identified only by analyzing the entire source code of the application (custom source code plus all the OSS libraries being used).
Securing applications has to match the pace of change of cloud-based software and the level of automation that CI/CD has brought to software development lifecycle. At ShiftLeft, this is the problem we are solving.
Aren’t there current solutions addressing these issues? What is different about your solution?
MG: The current solutions that focus on protecting applications are either focused on analyzing code using older code-analysis techniques that take hours (if not days); or on providing protection from threats during production. This approach of running code analysis and run-time as two separate disconnected parts of the security stack was built for shrink-wrapped software where the companies developing software were different from the companies hosting the software in production.
ShiftLeft analyzes source code using a next-generation code analysis technique that is fast (to the order of seconds), identifies issues with the code and issues that arise out of using OSS or third party libraries incorrectly (such as the application not validating an input that a library was expecting to be validated), and issues with flow and treatment of sensitive data throughout the application. With this deterministic information gathered from code analysis, ShiftLeft creates a policy for the ShiftLeft Microagent to protect the application at runtime against its specific attack surface. And this correlation between code analysis and runtime protection is automated with no human overhead required. This approach ensures a precise, high performance security solution for protecting the application in production against its specific attack surface as opposed to constantly reacting to threats.
Can you elaborate on the use cases in the DevOps segment? How do you envision traditional enterprises using your technologies for their cloud applications?
MG: These are some of the key use cases that DevOps teams are looking to solve from a security perspective:
- Accurate, high-performance run-time security that does not slow down CI/CD: ShiftLeft provides a solution that extracts the security relevant aspects from an application or Microservice every time it changes and uses that to inform runtime protection (in production) results in an accurate, high performance security solution. ShiftLeft’s unique ability to create a policy in minutes every time the software changes ensures that ShiftLeft never impacts the pace of CI/CD.
- Sensitive data flow visibility: DevOps is also increasingly being asked to comply with regulations such as the General Data Protection Regulation (GDPR) and PCI-DSS (Payment Card Industry Data Security Standard). ShiftLeft addresses this by identifying the flow of sensitive data throughout the infrastructure that is informed by source code and runtime behavior, as opposed to pattern matching which causes large number of false positives.
- Automated security analysis at the speed of DevOps: DevOps is geared for speed and is responsible for the code in production. The challenge of widespread adoption of security in the DevOps workflow is to come up with tools and processes that do not create drag on release and deployment cycles. These include adding automated security analysis within continuous integration platforms to limit the introduction of vulnerable code earlier in the software development life cycle. This, coupled with lightweight runtime embedded agents that can provide correlated runtime analysis of issues detected from the automated security analysis, makes it easier for DevOps to work with developers in prioritizing what code problems they need to fix.
- Detection of risks in OSS usage: With the increased adoption of OSS in modern development, understanding its usage is a key requirement. ShiftLeft identifies if OSS usage is causing contextual vulnerabilities. For example, it helps you identify if the application is serializing data when the OSS library is expecting it not to.
At ShiftLeft, we are working with several traditional enterprises in banking and healthcare that are increasingly moving more applications to the cloud and releasing software frequently.
What can we expect to see from ShiftLeft in the future?
MG: As a startup, our key focus will be on our go-to-market strategy and customers. We have been fortunate to have a Customer Advisory Board from the inception of the company that helped validate our assumptions, prioritize pain points that we should focus on initially, and inform our go-to-market strategy. We will be accelerating our inbound marketing efforts over the next several months in addition to rounding up the product to support more languages.
It’s been great chatting with you. Is there anything else you’d like to share about security in general or ShiftLeft?
MG: Cloud has fueled innovation in unprecedented ways, enabling companies to meet customer requirements faster. But change disrupts security, making it easier for attackers to exploit. The biggest security problem for the next decade is to figure out how to protect cloud software without slowing innovation. At ShiftLeft, our mission is to be the enabler of security for cloud software.