Gracefully Protecting Rapid Software Deployments

Gracefully Protecting Rapid Software Deployments — Part IPrologueSoftware has changed. What used to be monolithic services on the backend are now the massive deployments of microservices that constantly are spawned up and torn down with shifting workload needs. They no longer run in controlled environments you provision, but in-turn run on VMs and containers on rent. Every sensitive information entered by a user on a web-form travels and transforms through layers of computing designed for ease of deployment and simplicity. But with all the elegance comes the burden of security. In this series of posts we will dive deeply and discover how modern software development and deployment pushes the security burden further, and the shortcomings of traditional security to cater to this model. We will break apart an application and see how it sees light the of day in the modern world, and the pain points everybody in the development and deployment chain feels.The Software of TodayOf course, I can discuss the great virtues of modern software from straight of out of a textbook, someone’s presentation or research paper, but what fun is a blog if it doesn’t have a memorable story?Just because I love pizzas, 🍕 We will create a PizzaCoin Bank in...
Read more

Dynamic Analysis of Modern Systems — Strategies and Pitfalls

Our Chief Scientist at ShiftLeft, Fabian Yamaguchi, previously discussed language-neutral analysis using Code Property Graphs (CPGs) and how this innovative technology is leveraged in the ShiftLeft platform. At ShiftLeft, the science of static code analysis is transformed to the art of understanding your code’s behavior and generating a Security Profile — a means of describing the Security DNA of an application.In this post I want to explore dynamic analysis of programs. Analyzing programs at runtime from a security perspective is a non-trivial task. The fact that security and reliability of code in production is of paramount importance puts constraints on what can be done as the code executes. The bedrock of any kind of dynamic analysis — whether it is for security or performance analysis — is the concept of code instrumentation.What better way is there to learn about an application’s health and understand its behavior than to have the application tell you itself?The concept of probes in an application has been employed in multiple sub-domains of computing, given fancy names, packaged, repackaged and resold. One such instrumentation technique on which many tools have been built is software tracing. Tracing lets us build tools that provide metrics such as program flows, data flows and...
Read more