When I got the call to consider picking up the golden baton at the next-gen application security company (ShiftLeft) the thought hadn’t even crossed my mind. After all, I had committed to building another company (NumberOne AI), one that would build multiple companies and all of them on the foundations of predictive AI/ML to solve big problems in big markets (not necessarily cybersecurity).
But after digging into ShiftLeft, its customers, people and technology, I saw something truly unique and powerful that the world could not be deprived of: predictive code science.
After sitting on the sidelines for over three years, I walked into that first all-hands call in August of 2022 with tremendous excitement and nervous energy.
Among the countless questions asked of me were two that stood out:
- Why ShiftLeft?
- Where do you want to take this company?
In anticipation of these questions and others, I had carefully considered the risk of taking on the role and getting back into cybersecurity at all, especially given NumberOne AI. After all, last I left the industry, I had largely considered the problem of cybersecurity (especially prevention of execution based attacks) solved, at least on the endpoint. In a nutshell, I had everything to lose and very little to gain.
Of course, who doesn’t love a good underdog story?
But for those who know me, mission isn’t everything, it’s the only thing.
What really attracted me to ShiftLeft and the whole DevSecOps/AppSec space was the position it sat in the computing lifecycle: at the very beginning. This nutrient-dense world of code security offered the real potential of starting at the beginning with cybersecurity and solving it once and for all, forever. Sounds crazy for sure but big problems are like my catnip.
I know I will get endless flack for this next one. We in the industry constantly complain that all threats start with code, but very few of us jump into the hole-ridden dingy and try to paddle. Why? Because it is hard. Really hard. How many languages are there? How many frameworks, IDEs, Continuous Integration pipelines, infrastructures, etc? How many layers of developers, engineers and coders exist in a typical organization? The challenge seems beyond daunting. But with ShiftLeft’s truly unique approach of code property graphs (CPGs), we may have for the very first time in the history of cybersecurity, the tools to rid the world of all cybersecurity threats. Yes, 100% of them. Not 99 or 99.999% but 100%.
“100% is impossible” most hardened security veterans would say. And they may be correct, at least practically. But theoretically, if we can identify all known and unknown vulnerabilities in code (and of course, that is a big “if”) and we can help introduce security features and functionality into all elements of coding applications, couldn’t we (at least in theory) prevent 100% of cyber attacks? This is what I saw as possible when considering the ShiftLeft opportunity. Combine this theoretically potential truism with ShiftLeft’s CPG approach and it opened up potentially unlimited possibilities.
Code security lives in the legacy cybersecurity world of “signature-based.”. To identify a security flaw in code, one needs to take a known security flaw and try to find the same thing in a series of functions or methods in code.
But what about the unknown flaws, the ones that have yet to be discovered and not a part of the OWASP Top 10 or CWE 25, etc.? The CPG provides the potential to discover the unknown-unknown vulnerabilities at machine speeds rather than human. And promises equal to or better accuracy than humans, maybe even the possibility of vulnerable code prevention
Changes are afoot my friends, and I know just the team to lead it.