Andrew Fife

ShiftLeft Blog - Medium

In order to scale application security (AppSec) to meet the pace of the software feature development, AppSec must engage developers with new workflows that balance security and productivity. In order to meet this challenge, today we are announcing new purpose-built security workflows, from which our customers are achieving a 5X ... Read More

Today we’re announcing enhancements to Ocular that empower organizations to discover business logic flaws during application development 10 times faster than manual code reviews.Updates to Ocular include support for four new programming languages, C#, C, C++ and Scala, which improve development efforts with coverage for the top cloud, Internet of ... Read More

Today we are thrilled to announce a new $20M round of Series B funding. Thomvest Ventures led the round and was joined by new investor SineWave Ventures. Our existing investors, Bain Capital Ventures and Mayfield Ventures, also participated in the Series B.This funding is about expansion. Having found initial product-market ... Read More

Today we’re announcing the general availability of our continuous application security service for the .Net Framework (.Net). .Net developers can now leverage the highest ever benchmarked source code analysis [1] to automatically create custom security profiles that protect their applications in runtime.As enterprises modernize their software development practices (agile methods, ... Read More

First-principles thinking is one of the best ways to reverse-engineer complicated problems and unleash creative possibility. Sometimes called “reasoning from first principles,” the idea is to break down complicated problems into basic elements and then reassemble them from the ground up. It’s one of the best ways to unlock creative ... Read More

Nexmo has confirmed that their 3.4.0 SDK contained the Jackson-databind vulnerability that we announced earlier this week as widespread amongst SaaS SDKs.The deserialization vulnerability can be escalated into remote control execution (RCE) by triggering a gadget chain of either certain versions of Java or Spring. This makes the vulnerability particularly ... Read More

Gartner recently recognized ShiftLeft as a 2018 Cool Vendor in DevOps for our continuous application security service. The Cool Vendor designation is awarded to new companies that are “innovative, impactful and intriguing.”We’re hosting a webinar tomorrow to introduce ShiftLeft and explain why we are cool:https://go.shiftleft.io/gartner-cool-vendors-for-devopsWhile DevOps has led to incredible ... Read More

Fabian Yamaguchi, Niko Schmidt & Marco Bartoli of ShiftLeft recently presented on our efforts to build a zero-day vulnerability machine at OffensiveCon. You can watch their presentation below.FIELD REPORT ON A ZERO-DAY MACHINEMake no mistake, security is about finding and exploiting vulnerabilities, not the ones everyone already knows about. The ... Read More

If data leakage isn’t the fastest growing problem in AppSec, I don’t know what is. In our experience, 100% of customer environments are leaking data. The adoption of microservices, combined with increasingly shorter development cycles, means that understanding how critical data flows into, within, and out of an application is ... Read More

If you’ve implemented, or are implementing, a DevSecOps program, we’ve come up with several questions to consider below. By posing these questions, we hope to help spur new ideas and help identify areas for improvement. We’re also hosting a webinar on implementing DevSecOps next Wednesday (3/21/18).Is My Application (or Microservice) ... Read More