Announcing ShiftLeft CORE — A Code Security Platform
We are excited to announce the launch of our new platform — ShiftLeft CORE! The word platform is often overused and misused. Many companies rename their existing products and acquisitions, rearrange their web pages, and call themselves a platform provider. The products often don’t work together. They might even require separate setup and onboarding, and in most cases, they are just fundamentally different products with some duct tape around them!
When we were working on our new offerings and thinking about how to position them, we thought long and hard about whether we are truly a platform or are we just doing a wordplay to make our product line look “mature”. Our team felt that to call ourselves a platform, we need to meet certain criteria:
- The components of the platform should all work off the same underlying technology
- Customers shouldn’t have to do anything extra in order to use the different components in the platform
- Customers should be able to use all the components in a similar workflow
We believe that, in CORE, we do all these and more. Let’s see how.
Our underlying technology
All of our platform components are built on top of our core technology — the code property graph. What this enables our customers to do is unique — with a single insertion, ShiftLeft CORE conducts multiple analyses on the same application code versus running multiple analyses using multiple products. This includes OWASP Top 10 vulnerabilities in custom code, secrets detection, security insights, and a brand new capability — prioritized SCA.
ShiftLeft CORE is also designed to fit seamlessly into the developer’s pull request-based workflow that decreases MTTR (Mean-time-to-repair). This has enabled ShiftLeft customers to go from analyzing once in months to analyzing multiple times per week.
Let’s take a look at the various modules in the platform.
Static Code Analysis
Prioritized Software Composition Analysis
ShiftLeft Prioritized SCA uses the concept of “Attacker Reachability” to prioritize only a subset of OSS vulnerabilities for mitigation. It can trace code paths that can potentially lead attackers from insecure inputs directly to open source vulnerabilities, using the power of Code Property Graph. Based on a ShiftLeft study, customers were able to reduce the number of open-source vulnerability tickets by more than 93%.
ShiftLeft detects Secrets, or hard-coded values (e.g., client Secrets, username/password combinations) and sensitive information (e.g., phone numbers and addresses). Unlike “grepping” for these patterns that lead to false positives, the use of Code Property Graph identifies when secrets are being leaked without proper transformation or obfuscation.
Security Insights are potential security issues in the code that may not be vulnerabilities today but are bad practices based on industry best-practice. For example, using libraries or methods that are known to pose a security risk unless used properly.
Another new offering, ShiftLeft Educate provides developers with in-context education to help them mitigate security vulnerabilities. E.g., for an XSS vulnerability reported in a Java application, targeted training is provided on how to fix XSS vulnerabilities in Java. What’s more, the developer can learn, fix the vulnerability, analyze it again, and get immediate feedback on whether the fix worked!
All these components work together and seamlessly — both from a workflow perspective and from a user experience perspective.
Announcing ShiftLeft CORE — A Code Security Platform was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium authored by Arun Balakrishnan. Read the original post at: https://blog.shiftleft.io/announcing-shiftleft-core-a-code-security-platform-402e3aa957db?source=rss—-86a4f941c7da—4