Yesterday’s announcement of the acquisition of Semmle by GitHub (Microsoft) is a ringing endorsement of the need to move security to the left— “shift left”. It is a validation of the growing influence of software developers in the world, the importance of code analysis for securing software in modern DevOps pipelines, and the importance of assisting developers to fix vulnerabilities before they become critical production issues.
A commonplace for developers to collaborate
GitHub and for that matter, GitLab, BitBucket, and other source repositories have become important epicenters for developers. These repos are home to numerous open-source projects and have a thriving community built around it. Yet security was still left behind and breaches are exponentially increasing due to developer oversight and mistakes. Integrating security in these repos is a logical evolution of these epicenters.
A wake-up call for legacy code analysis solutions
Legacy code analysis solutions, although initially designed to be used by developers, are largely used by application security teams who then collaborate with developers to get the vulnerabilities fixed. There are reasons developers do not always use these tools:
- They are painfully slow and often take hours or even days to complete analysis. This greatly affects developer productivity and doesn’t fit into a modern CI/CD pipeline
- Users do not trust the results due to, say, false positives
- The reported bug is theoretically possible, but the problem does not actually manifest in practice
- Cannot analyze large codebases
- Does not comprehensively analyze open-source consumption in the context of its utility within the application (Equifax breach, SF Muni attack, etc.)
- With a focus only on technical vulnerabilities, they don’t identify business logic flaws — a category that is increasingly becoming important if recent data breaches are an indication (e.g., First American Financial, Signet — Jared/Kay jewelers, Molina Health, etc.)
At ShiftLeft, we address these fundamental challenges with our Code Property Graph technology.
The future of application security is to shift left
We are excited about the future of application security (code security). We are true believers in the need to shift security left as that is the most efficient way to find and fix vulnerabilities and to prevent breaches. Our customers validate the need for application security to be fast (an analysis that takes minutes, not hours), accurate (minimize false positives), does not differentiate between custom code analysis and analysis of 3rd party code, and helps identify hard-to-find business logic flaws.
Acquisition of Semmle is a good first step in the industry’s acknowledgment of the importance of application security and of the need for developers to play an active role in application security. We are excited about what the future holds!
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Manish Gupta. Read the original post at: https://blog.shiftleft.io/welcome-to-the-future-of-application-security-7d64afe9fd1d?source=rss----86a4f941c7da---4