DevOps Chat: Shifting DevSec Left with ShiftLeft – RSAC Edition

In this DevOps Chat we speak with Manish Gupta, CEO co-founder of ShiftLeft. ShiftLeft is one of the up-and-coming DevSecOps companies. As evidence of such, it was recently chosen as one of the 10 finalists for this year’s #RSAC Innovation Sandbox award.

I have known Manish for many years in the security industry and it does not surprise me that he is once again at the top of a company that is setting the mark in the industry.

As DevSecOps continues to mature, we are seeing solutions that help at different points of the software pipeline. Some solutions are shifting far left and helping developers at the point of development and committing code. Other solutions are squarely aimed at the old Ops team. Almost a DevSec and a SecOps bifurcation.

I am not sure this is a great thing. I would like to see a more holistic solution, but I do believe the market will correct this.

ShiftLeft could be one of those companies that is on top at the end of the day.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation. Enjoy!

Transcript

Alan Shimel: Hey, everyone. It’s Alan Shimel, DevOps.com Security Boulevard, and you’re listening to a DevOps Chat. Today’s chat is gonna be another DevSecOps event, and I’m really happy to be joined by someone who I know in the security industry for years already, Manish Gupta, CEO of ShiftLeft. Manish, welcome.

Manish Gupta: Thank you, Alan. Great to be here.

Shimel: Great to have you here, Manish, and as I mentioned, you and I go back, you know, probably way before your ShiftLeft days, obviously, but let’s start with ShiftLeft. Maybe some of the folks listening, both from our security audience as well as the DevOps audience, are not yet familiar with ShiftLeft. So why don’t we give them a quick background?

Gupta: Of course. So, you know, ShiftLeft is trying to solve a fundamental problem in the world of cybersecurity. Now it’s like in today’s day and age every company is being disrupted or innovating true software, right? And all cybersecurity issues are caused because of defects in software yet, you know, we are using 20-year-old technologies like SAST, DAST, IAST, and then we protect these applications that we happen to deploy with vulnerability using tools like web application firewalls, and so that’s why – that’s the big problem we saw and we are addressing that. For the first time in the last 20 years we have invented a new way to analyze code. It’s very quick; we can analyze 500,000 lines of code in under 10 minutes.

It is very accurate, it is the most accurate solution in the market, you know, three times better than our competitors. So we will find vulnerabilities much more accurately and much more quickly. But here’s the other kicker, right? Is if we find vulnerabilities that you’re not able to fix for whatever reason – time to market pressures, et cetera – we then protect your application against the specific vulnerability that you weren’t able to fix, right? And as a result, focusing on protecting the application’s vulnerabilities as opposed to constantly reacting to threats provides you a solution that is very high performing, very accurate, with no false positives.

Shimel: You know what? It sounds almost too good to be true, huh?

Gupta: It is, actually. Funny that you say that. Last night I was at a dinner without about 20 CISOs and I was talking to them about ShiftLeft and that’s exactly what one of the CISOs said to me. She said, “Manish, this sounds too good to be true,” and, look, I think the way I like to answer that question is you’ve gotta solve hard problems in order for cybersecurity to get better.

Shimel: Absolutely.

Gupta: We all agree, right, that it is the software issues that cause all cybersecurity, but still we buy all of these other solutions that are constantly reacting to threats, constantly coming up with new signatures for threats. I mean I’ve done this for 15 years, Alan, as you know well, through FireEye, Cisco, McAfee. Look, man, if there’s one thing I’ve learned you cannot get better at security if you continue to react to threats, because with – by reacting to threats you’re letting the bad guy shoot first, and then you go in and say, “Okay, well what do I do now?” So we gotta go to the source of the problem and get better at delivering software that is – has far fewer defects.

Shimel: Absolutely.

Gupta: And when it does have those defects, because that’ll always be the case, we get protection that is much more precise.

Shimel: So Manish, to me though, this really represents the true value prop of DevOps and, you know, we call it DevSecOps, we stick that Sec in the middle of the Dev and the Ops, but really when I’m talking about DevOps it includes security, right? So when I mean DevOps I mean this whole new way of this software pipeline, the modern software factory. You can have it all. You can – you know, they used to say – the song says two out of three ain’t bad, but you can have three out of three.

You can have faster, better, more secure software if you follow some of these basic principles, use some of these more modern tools that are made for this type of scale and speed and velocity, environment, automation, continuous security; all buzzwords that we hear, but beyond the buzz there’s real stuff going on underneath, and that is –

Gupta: Indeed. I totally believe – I totally agree with you that it is DevOps. You know, the faster we release the more chances that we get at fixing our software, right? In other words, let’s go back to the Waterfall days. Let’s say there was a company that did one software release in six months. Well, that means you only had one in six months an opportunity to fix the defects for your customers. Now fast forward to today; DevOps and modern SDLC practices are allowing our customers to release perhaps once a day.

So now you don’t have to wait for six months. The issues that you found yesterday you can go ahead and fix them today, and if you are not able to fix them today, well guess what? There will be another opportunity tomorrow, right? So I’m a true believer in inserting security into DevOps, but it can’t be done with legacy tools, right? I mean we gotta use tools that increase the efficiency of developers as opposed to decrease their efficiency.

Shimel: Agreed. So, Manish, I don’t want to embarrass you, but you mentioned a few of the companies you’ve been involved with and, you know, I’ve heard this from people who listen to our podcast or who I meet at conferences. They say, “What does it take to be a founder? How does someone get to be a CEO? Do you – is it –” you know, I did an interview a couple weeks ago with a new company starting up in cloud and this woman had been in four or five successful startups that had successful exits but never part of the founding team; now she’s CEO of this new company she’s starting. Just real briefly, I don’t – and again, I don’t want to embarrass you, but give people a little bit of your background, ’cause you have an amazing track record and resumé. If you don’t mind.

Gupta: Of course. Thank you, Alan. Thank you for that praise. Yeah, look, I’ve been very fortunate to have been in security for almost 16 years now, most recently at FireEye, right, and before – you know, at FireEye we had a lot of fun. We were trying to solve a very difficult problem, which is how to detect these nation-state attackers. You know, prior to that Cisco, which was sort of a big company, and prior to that sort of McAfee, again, solving some of the harder network security problems through tools like intrusion detection.

So I think it was that 14, 15-year career that gave me a better appreciation for what our customers’ issues are because, you know, it was in 2015/2016 that customers started telling me, “Look, enough. I mean what all do you want me to do? You ask me to buy a firewall, then I bought intrusion protection, now I’m buying FireEye on the network, now you want me to buy AV on the endpoint and perhaps host IPS on the endpoint, perhaps, you know, whitelisting, and this is just getting unwieldy.”

And at the same time, right, I was starting to see that back then there were more than 100,000 pieces of new malware we were seeing, and so that is why I started ShiftLeft, and I think what it takes to start a company – look, you gotta be passionate and you gotta listen to your customers, and I think you gotta be humble. You gotta be really humble. It’s one job which is very lonely. You don’t have a whole lot of people you can talk to [laughs], except your customers, because your employees are looking to you for direction. So it’s a fun job but it’s a demanding job.

Shimel: Absolutely. Manish, I want to – you know, it’s security season, right? RSA is coming to San Francisco, they’re expecting more than 50,000 people this year and, you know, I don’t know about the rest of the world but my inbox is flooded with pictures around security and cyber and DevSecOps and so forth, and obviously ShiftLeft will be at RSA, and you guys recently were awarded some honors. I’ll let you tell the audience about them.

Gupta: Yeah. No, thank you. Super excited. We’ve been selected as one of the finalists for the RSA Innovation Sandbox. That event takes place on Monday, so I encourage your audience to come and attend. It’ll be fun; it’ll be three-minute presentations from each one of us, [laughs] and towards the end they pick a winner. Yeah, so really looking forward to it and I think it is a testament, right, to you look for recognitions like these at events like RSA, which attract the best of the best, and I’m super thankful to my team.

You know, we’re solving a very hard problem. Like I said, you know, there’s been really no invention in _____ analysis in the last 20 years and we can only do this because we’ve got, like, seven PhDs in a team of 40, right? That’s what it takes. So, hats off to my team, just amazing team. Very humbled to work with this team every day.

Shimel: Absolutely. And, you know, I should mention we did – we actually did a podcast with the RSA team around just this very – you know, the whole Sandbox and Innovation Sandbox, and they actually have a new program out this week – this year, called RSAC Launchpad for sort of pre startups, if you will. I don’t know if it’s pre revenue or what have you but, you know, it’s become – this Sandbox, Innovation Sandbox has really become a fantastic showcase for what – who the new up-and-comers are in security, and what’s really exciting is if you look at the winners over – think how many years it’s been now, maybe 10 years, maybe more – if you look at the winners over the last 10, 12 years, whatever it’s been, you know, they’ve done an amazing job of zeroing in on companies that really are shaping the industry up.

So, kudos to you and the team for, you know, making it to the finals, ’cause I think of how many companies were evaluated to come to the finals, but generally speaking it’s a mark of distinction, right, and as you say, congratulations to your team but congratulations to you. But, you know, I remember the first time, Manish, I was briefed on ShiftLeft, and I’m gonna say it’s gotta be – is it about a year ago, year and a half ago now?

Gupta: Yeah, it’s probably about a year and a half ago.

Shimel: Yep, and I remember thinking then, wow, this is something that could shake things up, right? This is exactly what we were talking about with DevSecOps and it would be interesting to see, and now, you know, we’re seeing it catch its stride, so congratulations to you. Beyond Innovation Sandbox though, what else exciting is happening over at ShiftLeft?

Gupta: Yeah. I think, you know, the key thing is really just working with customers. You know, we – this is – sorry to be repetitive, but this is hard tech, right? It took is time to build this, and now in the last year we are starting to deploy this in customer’s environments, and look, at the end of the day that is what is the most exciting endorsement. Yes, RSA Innovation Sandbox is important, but just customers telling you that what you’re doing is helpful, is meaningful, is the best endorsement of what we’re doing. So as an example, one of those fin-tech companies, you know, about last month told us that they found five critical unknown vulnerabilities in one of the opensource libraries that they’ve been using forever in under three days using our product, right?

Shimel: Wow.

Gupta: And so when I asked them – yeah, exactly, right? – so when I asked them, “So, tell me without ShiftLeft, how long was it taking you?” And they said for the previous six months with one person fully working on this problem they found three, right? So just doing the math it’s like 15 to 20 X improvement, and at the same time yesterday I was talking to CISO at the dinner that I was telling you about. He’s the CISO of a publicly-traded security company, so they clearly take security importantly, and he said – and that is music to my ears. He said, “Manish, you – it’s – I –” what were his words? –”I commend you for trying to solve this hard problem, and you have a great solution and thanks for building it.” Yeah, I get goosebumps every time I think about that.

Shimel: You know what? So, look, I’ve been in your _____, I’ve been a founder, and that’s music – it’s music to your ears but it’s also – honestly, it uplifts your soul, it makes your soul sing, you know what I mean?

Gupta: Yeah, yeah.

Shimel: Because sometimes we work really hard, Manish, right? It is – security especially. Security’s hard and a lot of times it’s – you know, it’s very easy to point the finger when there’s a breach, but when there’s not a breach, right, no one says anything. No one ever comes up and says, “Hey, I’m glad we haven’t had an incident in 300 days or 200 days.”

Gupta: Right. That’s right.

Shimel: You know what I mean? No one tells you you’re doing a good job. They only tell you when you’re doing a bad job in security.

Gupta: Yeah.

Shimel: It’s the nature of it. So, you know, when you could get that kind of feedback from CISOs at large companies like this, it does – it kind of almost makes it worthwhile, all the hard work, the late nights, the traveling on the road, time away from family and everything else, right? It’s – it makes it worthwhile. Anyway…where do you see – so it seems DevSecOps has really hit its stride, right? It went – I mean we see it – you know, as we were talking off mic, we do our DevSecOps days at RSA every year and, you know, this year we have unprecedented – in order to go you have to register at RSA, obviously, right?

You gotta have an RSA badge. Any badge will get you in, but you have to indicate a preference that you’d like to attend our event on Monday and, you know, we could tell from the pre reg, if you want to call it that, an amazing year – you know, a lot of demand out there, a lot of interest in this. What do you see – what’s next? How do you keep the momentum going here?

Gupta: Yeah. No, you’re absolutely right, but at the same time, right, like at DevSecOps days – and I love that day because it’s, you know, just the lineup of speakers that you have so huge kudos for you to have put this together. I mean the speakers – and what I really like about that DevSecOps day, it’s very operationally focused.

Shimel: Yeah.

Gupta: There’s not a lot of fluff, right, not a lot of marketing; it’s people who practice this every day telling the audience how to do it, so it’s a great day. So I encourage your audience to absolutely go there if this is a topic of interest. But where do we go from here? I think we are only scratching the surface, Alan. You know, it’s hard for me to put an accurate percentage, but I would say it’s less than 1 percent of the industry today that is still thinking about DevSecOps.

Shimel: You think so?

Gupta: And – sorry?

Shimel: I don’t doubt it. I mean I’m not gonna dispute it. You know, it’s…but isn’t that the way it always is? I just – I often feel that we live in this bubble where we think everyone is enlightened.

Gupta: Right. [Laughs]

Shimel: It happens with my politics here. Everyone’s enlightened and, you know, why wouldn’t you do this and of course this is what you should be doing, and then sometimes you forget that not everyone feels that way.

Gupta: Yeah. And so we live in very exciting times. We are seeing one of the biggest disruptions ever in the IT industry, right? I mean at least in my 25-year career I haven’t seen a bigger disruption with –

Shimel: No.

Gupta: – you know, how we develop applications, how we deploy them, where we deploy them, and the compute, how elastic it is and the applications going into the cloud, and all of this software-driven innovation allowing us to do all kinds of cool things like IoTs and self-driving cars. I mean everything is being software-driven, right? So – and the exciting part for people like you and I and perhaps some of the audience who are interested in security is for all of the software, security needs to be rethought. We can’t continue to put firewalls and antivirus on this software or application. It’s not gonna work. I mean try thinking about putting an AV agent in your self-driving car. Yeah, that’s gonna happen, right?

Shimel: [Laughs]

Gupta: And so this is a huge opportunity for the young folks in our audience to make a mark in helping industry figure out as to what this next generation security architecture is going to look like, and for oldies like you and me to sort of perhaps try and forget what we’ve done in the past and rethink, right, which is always a challenge.

Shimel: Exactly. It really is. Anyway, Manish, we’re about out of time here. I apologize. I look at the clock and I’m like, you know – and you and I were probably on the phone a half hour before we started, so…

Gupta: [Laughs] That’s right. When you’re having fun –

Shimel: Just talking. But listen, congratulations on the RSA Innovation Sandbox finalist. Hope to see you – I definitely will see you out in San Francisco for RSA – but continued success at ShiftLeft, man. Keep doing what you’re doing. You’re doing it well. I think people are obviously taking notice, and congratulations.

Gupta: Thank you very much, Alan, and thanks for all your support and thanks to your listeners for taking the time.

Shimel: That’s a good way to end this. Manish Gupta, CEO/founder of ShiftLeft. This is Alan Shimel at DevOps.com, Security Boulevard. You’ve just listened to another DevOps Chat. Have a great day, everyone.

Featured eBook
Open Source Security Management in the Age of DevOps

Open Source Security Management in the Age of DevOps

WhiteSource and MediaOps (DevOps.com and Security Boulevard) conducted a survey of more than 400 organizations to understand their policies, processes and tools in managing the risk associated with the use of open source components in their applications. In our analysis of the survey results, we broke out responses into two buckets: those organizations that have ... Read More
WhiteSource
Alan Shimel

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 25 posts and counting.See all posts by alan