Over the years, I have witnessed the issues that customers face when attempting to secure their systems. Most of them encounter challenges because there are just too many threats (viruses, worms, malware, etc.) to protect themselves against and these threats are growing at a rapid rate. Taking a threat-centric, reactive approach to cybersecurity rather than being proactive about defense is just not a viable solution anymore.
At the same time, software is eating the world! Self-driving cars, Software-as-a-Service solutions such as salesforce.com. consumer applications such as Uber and IoT devices such as the Nest thermostat have become an integral part of life — and they are all powered by software connected to edge services. Increasingly, this software is cloud resident which is allowing companies to deliver new functionality at an unprecedented pace. The fact of the matter is, Amazon deploys new software into production every 11.6 seconds. “How are we going to protect all this software when it is changing multiple times a day?” — this has become an existential question of our age.
I became convinced that there had to be a better way to stop the bad guys from exploiting software. I worked on the problem with ex-security friends for six months. We knew that an effective solution would not only need to provide agility and accuracy, but it would also not be attack-based because that is inherently reactive. We failed to come up with a good solution.
The ShiftLeft Belief
That’s when I met my co-founders Chetan and Vlad, neither of whom come with a cybersecurity background. We were (and still are) a big fan of Elon Musk’s First Principles Thinking. And that’s what enabled us to come up with the idea behind ShiftLeft. Let me elaborate.
Historically, companies such as Microsoft and Oracle developed enterprise software, and shipped it (shrink-wrapped) to customers for on-premises deployment. The onus of protecting the ‘shrink-wrapped’ application was on the customers buying and deploying the software in their data centers. Without access to the source code of the application, the customers had no choice but to treat the software as a black box and protect it from the one thing that they could understand: threats. And that’s how the security industry has developed: AV to detect viruses, IDS/IPS to detect intrusions, WAF to detect application attacks, sandboxes to detect malware, etc.
Today, there is a fundamental shift in the way software is deployed and consumed. With software moving to the cloud (SaaS), the disconnect between where the software is developed and where it runs has effectively been eliminated. This has presented us with an opportunity to rethink how software should be protected in the age of the cloud.
First Principles Thinking dictates that we should protect the software by understanding the security needs of the software. That’s what we do at ShiftLeft: for every version of every application we extract its Security DNA (all security relevant elements in source code) and create a custom security agent to protect that specific version of the application.
Our approach is synonymous to precision medicine (PM), a medical approach that proposes the customization of healthcare, with medical decisions, practices, or products being tailored to the individual patient.
I cannot end this discussion without touching on our company philosophy and culture. From the very beginning, we have focused on hiring the smartest, most talented people. If I am the inspiration for ShiftLeft, Chetan and Vlad are the heart and the brain respectively. I personally believe that life is too short to work with obnoxious, egotistical jerks. Chetan and Vlad are both super-smart, but they are also humble. Humility and accountability are very much ingrained in our company culture. It makes work much more pleasant. More importantly, people who believe that they are the center of the universe are not the type of people we want to inflict upon our customers. Our Promise: the needs of our customers is our top priority; we drop everything when a customer calls. We have built a great team — which, in its own way, is a great validation of what we are building.
This is a Security Bloggers Network syndicated blog post. Read the original at: ShiftLeft Blog - Medium 2017-10-11.