ShiftLeft™ Inc., an innovator in application security, today announced the general availability of its security-as-a-service platform for Microsoft’s .Net Framework (.Net). .Net developers can now leverage the commercial source code analysis solution with a highest-ever OWASP Benchmark Score of 75 percent [ https://www.shiftleft.io/press-releases/shiftleft-achieves-highest-ever-sast-score-on-owasp-benchmark/ ] to automatically create custom security profiles that protect their applications in runtime.
As enterprises modernize their software development practices (such as agile methods, cloud infrastructure, open source libraries, DevOps automation and microservice architectures), their efficiency gains in feature release velocity strain traditional security practices, which have remained largely manual. “.Net Core’s cutting edge developer toolset has attracted development teams that want the latest and greatest,” said Gabe Monroy, Lead Program Manager for Cloud Native Compute at Microsoft Azure. “ShiftLeft’s ability to remove manual security bottlenecks by fully automating continuous application security across development and production gives .Net developers another leg up on the competition.”
The most prevalent vulnerability for .Net applications is information leakage, such as inadvertently pushing critical data to external logs, code repositories or databases [ https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-focus-on-application-development.pdf ]. Unlike traditional approaches to identifying data leakage, which rely on highly inaccurate pattern-matching, ShiftLeft plots data flows from inside the application. ShiftLeft identifies which objects and variables are critical and plots their path across sources, transforms and sinks whether they be microservices, open source libraries, commercial SDKs or third-party APIs.
“With Europe’s GDPR, and states like California adopting similar privacy laws, data protection is no longer just finance and healthcare’s problem. The types and volume of data that must be treated as critical is skyrocketing for all industries,” said Chetan Conikee, ShiftLeft CTO and Co-Founder. “ShiftLeft now enables .Net developers to automatically determine whether or not the new release is inadvertently leaking data, such as logging device tokens in Splunk or unencrypted credit card numbers in S3.”
As .Net Core and Azure have embraced open source, the adoption of open source libraries in .Net applications is growing rapidly. Based on recent statistics from NuGet (package manager for .Net), there exist 127,558 unique packages at a peak of 11 billion downloads to date initiated by application developers/vendors.
Vulnerabilities discovered in open source packages may affect the applications that include them. Upon the disclosure of every new vulnerability, the application developer has to assess whether such a vulnerability is exploitable in the particular usage context of their applications—a task that is manual and can take several hours per vulnerability.
ShiftLeft’s information flow tracker is designed to analyze both the source code of the application and its libraries as a single unit in order to determine if an untrusted/tainted input can (or cannot) trigger a specific vulnerability. This is accomplished within minutes of ShiftLeft analyzing a new release.
“Until now, .Net security teams have been faced with a terrible choice: slow down innovation or release insecure code,” said Manish Gupta, ShiftLeft CEO and Co-Founder. “In less than 10 minutes, the Code Property Graph can identify why and where an application is vulnerable during the build process and block exploit attempts in production, if a vulnerability is not fixed. This means that even the most advanced CI/CD environments can now release as fast as they want to without ever worrying about security slowing them down.”
ShiftLeft™ Inc. is an innovator in application-specific cloud security, delivering the industry’s first fully automated Security-as-a-Service (SECaaS) solution that understands the unique security needs of each version of each application and creates custom security and threat detection for it. With ShiftLeft, DevOps can make threat detection part of their CI/CD process. ShiftLeft’s approach allows teams to both protect their applications immediately and enhance the security posture of their code. The company was founded by a team with extensive backgrounds in security and cloud infrastructure who were early innovators of technologies such as sandbox, nextgen Firewall, nextgen Electronic Payment Network and Fraud Modeling, and several open source initiatives. Headquartered in Santa Clara, California, ShiftLeft is backed by Bain Capital Ventures and Mayfield. For more information, see https://www.shiftleft.io/.