And here’s one from the “you can never use too many buzzwords” school of thought. ShiftLeft is launching today, and in its briefing materials it breathlessly announced the fact by saying:

ShiftLeft Introduces Industry’s First Application-Specific Security-as-a-Service to Protect Cloud Applications and Microservices at the Speed of DevOps

I was going to go into a rant about PR and marketing folks getting ahead of themselves but instead, I’ll overlook the phraseology and instead take a look at what ShiftLeft is doing. It’s a hard job, picking apart briefing materials bull of marketing-speak. But that’s what I do for you, my dear readers…

ShiftLeft, is an innovator in application-specific cloud security, delivering the industry’s first fully automated Security as-a-service (SECaaS) solution that understands the unique security needs of each version of each application and creates custom security and threat detection for it. With ShiftLeft, DevOps can make threat detection part of their continuous integration/continuous deployment (CI/CD) process. ShiftLeft’s approach allows teams to both protect their applications immediately and enhance the security posture of their code.

OK, so ShiftLeft is a cloud-based security platform that, rather than simply offering a vanilla methodology around protection, interrogates individual applications and creates customized security setting for it. So far, so good.

With ShiftLeft, organizations can now secure their cloud applications as part of their continuous integration pipeline, rather than merely reacting to threats discovered in production. ShiftLeft also identifies vulnerabilities, including contextual vulnerabilities with usage of Open Source Software (OSS), and data leakage risks, allowing organizations to either fix them or protect against them in production using ShiftLeft’s Microagent.

So this is interesting. Traditionally, security and application development/deployment have been discrete tasks, indeed there has been a tendency to see the relationship between the two groups of practitioners as somewhat adversarial. ShiftLeft changes this paradigm and makes security a component part of application development and deployment. it does so by leveraging the current trend towards continuous deployment and continuous integration (CI/CD) a notion that describes a culture of constant feedback and improvement, as opposed to the previous paradigm of big releases made on an infrequent basis. CI/CD sets the scene for many deployments per day and a corresponding increase in organizational agility.

The move to Cloud native applications is forcing organizations to re-architect how they approach security. The critical problem over the next decade is how to protect cloud apps and microservices (collectively called cloud-based workloads) without slowing innovation. With each software build, ShiftLeft extracts all security relevant aspects from the codebase, called Security DNA, and uses it to create a custom Microagent to provide runtime protection.

To my point. While I’m not a big fan of the SECaaS acronym, ShiftLeft raises a good point about the challenges for security practitioners given modern approaches to application development. This notion of Security DNA is essentially a security-centric analog for the CI/CD process and would seem to align well with the way modern organizations work.

This launch marks the first time in the industry when customers can conduct code analysis to find bugs and provide runtime protection for bugs not yet fixed or not even identified yet, without compromising the pace of innovation. Hence the name ShiftLeft, as our mission is to shift security concerns to the left in the CI/CD lifecycle and help improve the security posture of the code. ShiftLeft is the first solution that combines code intelligence from build-time and runtime. Understanding of code at runtime allows ShiftLeft to not only identify an attack but also point to the specific line of code that caused the issue, significantly shortening mean-time-to-repair (MTTR).

Without delving into the “we were first” claims. ShiftLeft raises some very valid points and the origin of its name goes a long way to explaining what its true value proposition is. Traditionally, agile development has been counter to the usual norms of security teams, resulting in either poor security or alternatively security slowing down development agility. The Shiftless approach should resolve many of those issues.

What is this Security DNA thing?

The Security DNA of an application is the sum of everything in a codebase that impacts its security, including the execution space of code (what it does and does not do), the flow and treatment of data, the way the application communicates with the outside world, dependencies used, and vulnerabilities. What ShiftLeft promises to deliver is a new paradigm, one in which developers, DevOps and Security teams can collaborate and leverage the Security DNA to enhance the security of their applications. The idea being that developers can prioritize fixes for vulnerabilities that are being exploited in runtime, DevOps can get deep visibility into all the important data flows, and Security teams can protect the applications from attacks without impacting the pace of CI/CD.

MyPOV

From a product and technology perspective, ShiftLeft makes absolute sense. But agile development practices are as much (perhaps more) about culture as they are about technology. And this is the but that ShiftLeft needs to crack. I’ve seen enough security practitioners pour cold water on agile development teams’ suggestions to know that there will be many people doubting the ShiftLeft approach, and remaining skeptical that security should move any faster than it currently does.

ShiftLeft is certainly onto something here – the question for me is whether the people who most need it will realize.

Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

Leave a Reply