Shiftleft — Notes on a journey

Do you remember what life was like before Google Maps?

Often you had to plan your trip using printed maps, marking destinations and points of interest using a pen. Then inevitably, all your effort was for naught when you hit peak traffic or major construction and have no idea to work around it.
Those were the dark days indeed. Enter Google and Apple Maps, in the palm of your hand, under your complete control.
If the idea of using a physical map today seems a bit too much work, blame it on your electronic navigation system. About 4 out of 5 drivers confess to the inability to navigate without electronic guidance systems.
As a consequence of technology, printed-map reading today, is an acquired skill.

With the advent of Waze, we have real time crowdsourced traffic powered by a community of users. Waze tells you when you should leave, while taking into consideration things like expected traffic conditions, alternate route suggestions, aggregated traffic history and more.
Soon, level 3-5 autonomous vehicles can switch routes using Waze’s decisioning algorithm in order to avoid traffic congestion and commutes can become increasingly automated.

Switching gears, the entire infrastructure powering intelligent map applications, mentioned above are coded in a specific programming language, compiled down to an executable or service(s) and deployed in a data-center or public cloud. Such codebases can be relatively complex, as they have evolved over time and have been exponentially optimized to support such real time use cases in order to effectively serve us consumers in real time.

Engineers and authors of such complex code-bases are like transportation planners. Akin to transportation planning, which involves meticulous design of street, highways and public transport lines, engineers have to think of business domain rules, functional flows, inputs, outputs, supporting data and open source utility-libraries encompassed into the application design in order to serve a business purpose.

Over time, a mature code-base begins to look like a transit map. Akin to transit planning, rarely do we tear down existing roads to build new ones. New lanes are added to existing infrastructure in response to congestion and other critical needs. Likewise, we add new functionality to the core foundation of our codebases to serve additional business needs.

When code we build is deployed, as an executable in the public-cloud or data-center, inevitably it experiences performance bottlenecks, due to resource constraints, design flaws and most significantly, breaches due to vulnerabilities or mistakes in implementation.

The customer/consumer of the deployed application is like a commuter in transit. They are the ones who suffer direct impact, as a consequence of a pre-existing vulnerability or exploit in the executable, when is taken advantage of by bad actors. The large-scale breaches we have seen over the past several years (Equifax, Yahoo, Target, to name but a few) are ready reminders of the serious consequences of such a scenario.

We at ShiftLeft, admire and are inspired by the craft of transportation design and navigation systems. Given that we are a semblance of infrastructure engineers, devops and security practitioners, we would like to bring this experience to understand the application surface and thereafter surgically protect it in real-time.

This quote by Saul Klien, founder of Kano Computing, directly reflects our principle. “The perfect start-up has all three founders. Someone who understands how to build technologies and systems to solve problems . Someone who understands the human factors behind those problems, why they exist, what it takes to fix them and how to shape the experience .Someone who understands how to reach, talk to and sell to the people whose problems are being solved — 
and keep finding more of them. An ideal start-up has two of the three founders, but all three skills are present between them.”

Manish , Vlad and I have humble beginnings. We have been immersed in diverse areas of technology and share a sustained growth mindset. We have learned from our past successes and reflect regularly on, rather than ruminate over, our failures. My decision to build ShiftLeft with Manish and Vlad is because of our diversity in areas of expertise (Security, Data Science, DevOps and Infrastructure) , our mutual respect and friendship with one another.

This quote from Elon Musk was etched in our collective mindset prior to founding ShiftLeft — “it is important to view knowledge as sort of a semantic tree — make sure you understand the fundamental principles, i.e. the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to

We, as a team are building an application called ShiftLeft, reflecting our collective first principles thinking.

Our dashboard maps your application’s flow map within a lens of security. On the map, context is provided for various connected flows in your application. We then apply policy based logic upon the flow to describe

  • all inputs and outputs the flow connects with
  • input validation at root of flow
  • track new flows added as application evolves
  • output encoding at edges of flow
  • cryptographic practices in application
  • classification of sensitive data in application
  • treatment of sensitive data in transit of a flow
  • .. and more

Note that these qualities change as your code evolves over time. We instantly compute and capture this change, identify potential 0-day and known exploits, sensitive data leaks in your application and alert on negative drift.

Akin to a transit itinerary, we create a Security DNA that represents the security posture of your application and we update your application’s DNA on every revision.
Stealing a page or two from Waze’s real-time alerting system and Tesla’s semi autonomous lane assist feature, we provide a DNA-bootstrapped micro-agent that detects and protects your application at runtime against bad actors.

A journey of thousand miles begins with a single step. This is our first step. We have many more miles to cover and at every milestone, we need to serve our customers well.

Last but not least, behind a compelling product is a compelling team. Manish, Vlad and I are fortunate to be working with a world class team. This quote from Einstein summarizes our sentiment — “A day without learning is a day wasted. There is so much to learn and so little time to learn it.


Shiftleft — Notes on a journey was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/shiftleft-notes-on-a-journey-b0de00aea408?source=rss----86a4f941c7da---4