Welcome to the future of application security

by Manish Gupta on September 19, 2019

Yesterday’s announcement of the acquisition of Semmle by GitHub (Microsoft) is a ringing endorsement of the need to move security to the left— “shift left”. It is a validation of the growing influence of software developers in the world, the importance of code analysis for securing software in modern DevOps pipelines, and the importance of assisting developers to fix vulnerabilities before they become critical production issues.

A commonplace for developers to collaborate

GitHub and for that matter, GitLab, BitBucket, and other source repositories have become important epicenters for developers. These repos are home to numerous open-source projects and have a thriving community built around it. Yet security was still left behind and breaches are exponentially increasing due to developer oversight and mistakes. Integrating security in these repos is a logical evolution of these epicenters.

Sponsorships Available

A wake-up call for legacy code analysis solutions

Legacy code analysis solutions, although initially designed to be used by developers, are largely used by application security teams who then collaborate with developers to get the vulnerabilities fixed. There are reasons developers do not always use these tools:

They are painfully slow and often take hours or even days to complete analysis. This greatly affects developer productivity and doesn’t fit into a modern CI/CD pipeline
Users do not trust the results due to, say, false positives
The reported bug is theoretically possible, but the problem does not actually manifest in practice
Cannot analyze large codebases
Does not comprehensively analyze open-source consumption in the context of its utility within the application (Equifax breach, SF Muni attack, etc.)
With a focus only on technical vulnerabilities, they don’t identify business logic flaws — a category that is increasingly becoming important if recent data breaches are an indication (e.g., First American Financial, Signet — Jared/Kay jewelers, Molina Health, etc.)

At ShiftLeft, we address these fundamental challenges with our Code Property Graph technology.

The future of application security is to shift left

We are excited about the future of application security (code security). We are true believers in the need to shift security left as that is the most efficient way to find and fix vulnerabilities and to prevent breaches. Our customers validate the need for application security to be fast (an analysis that takes minutes, not hours), accurate (minimize false positives), does not differentiate between custom code analysis and analysis of 3rd party code, and helps identify hard-to-find business logic flaws.

Acquisition of Semmle is a good first step in the industry’s acknowledgment of the importance of application security and of the need for developers to play an active role in application security. We are excited about what the future holds!

To try out Shiftleft’s offerings and to see the power of modern code analysis please visit ShiftLeft Ocular and ShiftLeft Inspect.

Welcome to the future of application security was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.