Why Data Loss Prevention (DLP) Must Evolve for Modern Applications

The Economist effectively argues that “Data is the new Oil”. Most companies collect data that is important to their very survival and key to their competitive advantage. Losing this data has wide-ranging implications ranging from losing trust with customers, financial impact to the company, severe penalties by regulatory bodies, and losing competitive edge. Yet the technology solutions available are reactive and built for the pre-cloud era.Figure 1: A Modern EnterpriseThe above diagram illustrates the problem. A typical cloud application attracts thousands (maybe millions) of users, or connects to thousands (maybe millions) of IOT devices. Such an application may collect many different types of sensitive data, such as credit card numbers, social security numbers, blood pressure stats, heart rates, email addresses, passwords, account numbers, and more. The application likely has many outputs — other microservices, databases, logs, third party APIs, etc. Any number of individuals may have access to this data, including employees, contractors, and users — often because they need access to do their job or interact with the service, but sometimes because the organization doesn’t know that the data these individuals are given access to is sensitive or private.Traditional “Solutions” Are Not the AnswerTraditional technologies for protecting sensitive data — namely Data Loss...
Read more

The ShiftLeft Vision

Software EvolutionSoftware is the engine of innovation across several industries, including many that have until recently remained untouched by software. The ability to rapidly develop software and host it in elastic and easy-to-provision public cloud instances without significant capital outlay allows us to write ever more software. And very much like storage, where once stored we rarely go back to delete items we don’t need, in software rarely do organizations revisit old code to delete or re-factor it. And so we will have more and more software, much of it deployed in cloud — public or private.The cloud providers are motivated to make it ever easier for us to write software so that they can host more of it generating more revenue. The software developers love it because they can deliver features ever faster to their customers — sometimes within the same hour.And so the packaged software delivery model has evolved to software delivered as a service (SaaS) which doesn’t specify whether the software is hosted in a public or private cloud. With the emergence of Infrastructure-as-a-Service (IaaS) and more recently Platform-as-a-Service (PaaS), more and more SaaS is delivered on top of IaaS and PaaS. The new kid on the block is serverless which further...
Read more

ShiftLeft in 2017 and Beyond

We have made amazing progress at ShiftLeft this year, and we’re poised for even more success in 2018.When we launched ShiftLeft, we wanted to build and deliver a great security product. We had a vision of the future of security, and we couldn’t wait to share it with the world.Of course, we couldn’t achieve that vision without financing. We were lucky to partner with two industry-leading investors: Enrique Salem, managing director of Bain Capital, FireEye board member, and former Symantec CEO; and Ursheet Parikh, Mayfield partner and StorSimple founder and former CEO. We chose these investors for their expertise and guidance, and they’ve exceeded our expectations.We emerged from stealth mode in October of this year with $9.3 million in funding thanks to Enrique and Ursheet, who joined our board of directors.Commenting on why he decided to invest in ShiftLeft, Enrique wrote that ShiftLeft has “baked security into the software development process in a low friction way, delivering security inside the app. I see that as a modern approach to delivering security in the application development process.”When we exited stealth mode, we also announced the general availability of the industry’s only fully automated security-as-a-service that understands the security needs of...
Read more

The Case of Disappearing Vulnerabilities

This blog is inspired by a recent customer conversation that went like this:Customer: We are moving our software to AWS lambda.ShiftLeft: How are you thinking about security?Customer: We have been using a WAF for our on-prem installation. We use a vulnerability scanner like Nessus and its findings to inform WAF of the vulnerabilities to make detection more accurate. We plan to continue doing the same.This should not come as a surprise because identifying vulnerabilities using scanners and enabling signatures in next generation firewall (NGFW) and Intrusion Detection and Prevention Systems (IDS/IPS), and correlating with Web Application Firewall (WAF) alerts is common-sense and best practice.But, does this approach make sense for software that is deployed in the cloud? The short answer is no, it does not!Sampling of Vulnerabilities by VendorHere is some data from CVEDetails.com, a resource for searching vulnerabilities across independent software vendors (ISVs) and their products:https://medium.com/media/9f3744fc52248ee5b2206dd3fcd8c321/hrefHave cloud software vendors have figured out how to write software without vulnerabilities?Let’s look at the results of another search:https://medium.com/media/0bfc88e8b24a67d87814a661d13eb349/hrefWhat stands out is that it’s not the vendor but the cloud-hosted software that makes the difference. And, given that it’s the same vendor and engineering teams, one has to conclude that the cloud-hosted software has vulnerabilities...
Read more

Building Something Great

When we started ShiftLeft, naturally we were focused on building a great product. But it wasn’t about just the technology — we also wanted to build a great company that would do good things, employ great people, and be around for a long time. We had a vision for our platform and for something bigger, a company built on a shared vision of the future of software security.A key ally in achieving a startup’s dreams is its investor. And we are lucky to have two of the best in the industry: Enrique Salem and Ursheet Parikh.Enrique Salem from Bain Capital, board member at ShiftLeft and former CEO of Symantec, is one of our earliest backers. We’d like to share with you a blog Enrique has written that elegantly describes the ShiftLeft platform and what it can do, as well as the company we are building. We can think of no better way to introduce you to ShiftLeft than by Enrique himself.Baking Security in From the Start: Why I Invested in ShiftLeftBuilding Something Great was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Read more

The Story behind ShiftLeft

Copyright: raywoo / 123RF Stock PhotoOver the years, I have witnessed the issues that customers face when attempting to secure their systems. Most of them encounter challenges because there are just too many threats (viruses, worms, malware, etc.) to protect themselves against and these threats are growing at a rapid rate. Taking a threat-centric, reactive approach to cybersecurity rather than being proactive about defense is just not a viable solution anymore.At the same time, software is eating the world! Self-driving cars, Software-as-a-Service solutions such as salesforce.com. consumer applications such as Uber and IoT devices such as the Nest thermostat have become an integral part of life — and they are all powered by software connected to edge services. Increasingly, this software is cloud resident which is allowing companies to deliver new functionality at an unprecedented pace. The fact of the matter is, Amazon deploys new software into production every 11.6 seconds. “How are we going to protect all this software when it is changing multiple times a day?” — this has become an existential question of our age.I became convinced that there had to be a better way to stop the bad guys from exploiting software. I worked on the problem with...
Read more