The Case of Disappearing Vulnerabilities

This blog is inspired by a recent customer conversation that went like this:Customer: We are moving our software to AWS lambda.ShiftLeft: How are you thinking about security?Customer: We have been using a WAF for our on-prem installation. We use a vulnerability scanner like Nessus and its findings to inform WAF of the vulnerabilities to make detection more accurate. We plan to continue doing the same.This should not come as a surprise because identifying vulnerabilities using scanners and enabling signatures in next generation firewall (NGFW) and Intrusion Detection and Prevention Systems (IDS/IPS), and correlating with Web Application Firewall (WAF) alerts is common-sense and best practice.But, does this approach make sense for software that is deployed in the cloud? The short answer is no, it does not!Sampling of Vulnerabilities by VendorHere is some data from CVEDetails.com, a resource for searching vulnerabilities across independent software vendors (ISVs) and their products:https://medium.com/media/9f3744fc52248ee5b2206dd3fcd8c321/hrefHave cloud software vendors have figured out how to write software without vulnerabilities?Let’s look at the results of another search:https://medium.com/media/0bfc88e8b24a67d87814a661d13eb349/hrefWhat stands out is that it’s not the vendor but the cloud-hosted software that makes the difference. And, given that it’s the same vendor and engineering teams, one has to conclude that the cloud-hosted software has vulnerabilities...
Read more

Building Something Great

When we started ShiftLeft, naturally we were focused on building a great product. But it wasn’t about just the technology — we also wanted to build a great company that would do good things, employ great people, and be around for a long time. We had a vision for our platform and for something bigger, a company built on a shared vision of the future of software security.A key ally in achieving a startup’s dreams is its investor. And we are lucky to have two of the best in the industry: Enrique Salem and Ursheet Parikh.Enrique Salem from Bain Capital, board member at ShiftLeft and former CEO of Symantec, is one of our earliest backers. We’d like to share with you a blog Enrique has written that elegantly describes the ShiftLeft platform and what it can do, as well as the company we are building. We can think of no better way to introduce you to ShiftLeft than by Enrique himself.Baking Security in From the Start: Why I Invested in ShiftLeftBuilding Something Great was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Read more

The Story behind ShiftLeft

Copyright: raywoo / 123RF Stock PhotoOver the years, I have witnessed the issues that customers face when attempting to secure their systems. Most of them encounter challenges because there are just too many threats (viruses, worms, malware, etc.) to protect themselves against and these threats are growing at a rapid rate. Taking a threat-centric, reactive approach to cybersecurity rather than being proactive about defense is just not a viable solution anymore.At the same time, software is eating the world! Self-driving cars, Software-as-a-Service solutions such as salesforce.com. consumer applications such as Uber and IoT devices such as the Nest thermostat have become an integral part of life — and they are all powered by software connected to edge services. Increasingly, this software is cloud resident which is allowing companies to deliver new functionality at an unprecedented pace. The fact of the matter is, Amazon deploys new software into production every 11.6 seconds. “How are we going to protect all this software when it is changing multiple times a day?” — this has become an existential question of our age.I became convinced that there had to be a better way to stop the bad guys from exploiting software. I worked on the problem with...
Read more