ShiftLeft™ Inc., an innovator in application-specific cloud security, today introduced the industry’s first fully automated Security-as-a-Service (SECaaS) for cloud software that understands the security needs of each version of each application, and creates custom security and threat detection for it. With ShiftLeft, organizations can now secure their cloud applications as part of their continuous integration pipeline, rather than merely reacting to threats discovered in production. ShiftLeft also identifies vulnerabilities, including contextual vulnerabilities with usage of Open Source Software (OSS), and data leakage risks, allowing organizations to either fix them or protect against them in productionusing ShiftLeft’s Microagent.
The move to Cloud native applications is forcing organizations to re-architect how they approach security. The critical problem over the next decade is how to protect cloud apps and microservices (collectively called cloud-based workloads) without slowing innovation. With each software build, ShiftLeft extracts all security relevant aspects from the codebase, called Security DNA, and uses it to create a custom Microagent to provide runtime protection. ShiftLeft’s new SECaaS solution is precise and provides accurate alerts to organizations, without false positives. Organizations now have one solution to protect their workloads from known vulnerabilities, unknown vulnerabilities, and data leakage.
“ShiftLeft’s technology analyzes code at both build-time and runtime, providing deep insight into the behavior of applications,” said Gabe Monroy, lead program manager, Containers, at Microsoft Azure. “This unique approach promises an effective runtime security solution for cloud applications. When security problems arise, ShiftLeft gives developers precise feedback that enhances security throughout the software development lifecycle.”
ShiftLeft also today announced its formal company launch from stealth mode and latest round of funding led by Bain Capital Ventures and Mayfield.
“Micro-services are great for high velocity software development, however, they introduce massive challenges for end-to-end security and monitoring,” said Puneet Chawla, Co-Founder and CTO of Workspot. “Edge-based security is not sufficient for micro-services based cloud apps. ShiftLeft provides us the right vantage point to evaluate the security risks at different stages of our engineering lifecycle. Runtime protection for cloud apps is becoming a common practice and we are very excited to be an early adopter of ShiftLeft’s innovative solution.”
This launch marks the first time in the industry when customers can conduct code analysis to find bugs and provide runtime protection for bugs not yet fixed or not even identified yet, without compromising the pace of innovation. Hence the name ShiftLeft, as our mission is to shift security concerns to the left in the CI/CD lifecycle and help improve the security posture of the code. ShiftLeft is the first solution that combines code intelligence from build-time and runtime. Understanding of code at runtime allows ShiftLeft to not only identify an attack but also point to the specific line of code that caused the issue, significantly shortening mean-time-to-repair (MTTR).
According to Gartner, “Trends such as continuous integration (CI), continuous delivery (CD) and DevOps increase demand for better integration and automation of application security within the development pipeline.” 1
With ShiftLeft, DevOps teams can track compliance requirements for regulations such as PCI-DSS, HIPAA, and the General Data Protection Regulation (GDPR) for every release; for example, identifying if the card verification code is stored after authorization. Teams can leverage ShiftLeft’s pre-defined policies, or define custom dictionaries that suit their business requirements and development practices, to track the flow of sensitive data throughout their infrastructure.
“Existing off-the-shelf security solutions are not suitable for cloud workloads without customization for your application,” said Tobias Knaup, CTO and Co-founder of Mesosphere. “I am excited to see ShiftLeft tackling this problem head-on with its application-specific security.”
The Security DNA of an application is the sum of everything in a codebase that impacts its security, including the execution space of code (what it does and does not do), the flow and treatment of data, the way the application communicates with the outside world, dependencies used, and vulnerabilities. For the first time, developers, DevOps and Security teams can collaborate and leverage the Security DNA to enhance the security of their applications. Developers can prioritize fixes for vulnerabilities that are being exploited in runtime. DevOps can get deep visibility into all the important data flows. And Security teams can protect the applications from attacks without impacting the pace of CI/CD.
“The adoption of Cloud increases the pace of innovation by allowing us to deliver features even faster,” said Chetan Conikee, ShiftLeft CTO and co-founder. “But this pace of change defeats traditional security. ShiftLeft embraces this change to enhance security for cloud-native applications by creating a custom Microagent for each version of each application. This application-specific security is both automated and accurate. We no longer have to buy off-the-shelf security products, write policies, and tune them manually as we sift through hundreds of false positives.”
Availability and Pricing
Following the typical buying behavior of the DevOps and the DecSecOps persona, ShiftLeft offers a try-and-buy of its SECaaS solution from its website at https://shiftleft.io/landing for customers to evaluate the solution as a free trial before upgrading to the paid service. DevOps and the DevSecOps teams can try the product first-hand and discover how seamlessly it works in their pipeline while minimizing deployment complexity and performance overhead. The paid service is priced based on the memory consumption and usage of the workload.
Note 1 – Gartner, Inc., “Hype Cycle for Application Security, 2017,” Ayal Tirosh, July 28, 2017.
ShiftLeft™ Inc.,is an innovator in application-specific cloud security, delivering the industry’s first fully automated Security-as-a-Service (SECaaS) solution that understands the unique security needs of each version of each application and creates custom security and threat detection for it. With ShiftLeft, DevOps can make threat detection part of their continuous integration/continuous deployment (CI/CD) process. ShiftLeft’s approach allows teams to both protect their applications immediately and enhance the security posture of their code. The company was founded by a team with extensive backgrounds in security and cloud infrastructure who were early innovators of technologies such as sandbox, nextgen Firewall, nextgen Electronic Payment Network and Fraud Modeling, and several open source initiatives. Headquartered in Santa Clara, Calif., ShiftLeft is backed by Bain Capital Ventures and Mayfield. For more information, see https://www.shiftleft.io/.