Review: How ShiftLeft catches vulnerabilities during code development

This combination traffic analysis tool and dynamic application security testing tool works with nearly any language and CI system, is very easy to use, and integrates directly into the development process.

coding / programming / development / binary code
Metamorworks / Getty Images

When cybersecurity experts talk about shifting the fixing of problems to the left, they mean moving that process closer to the birth of the code, which is always at the extreme left side of an application-making flowchart. Errors that are discovered on the right side of that chart, or once an application is already deployed, are costly and could contribute to a data breach. Ideally, code is fixed farther to the left, when it’s still being actively developed.

It’s probably no surprise then that the ShiftLeft platform got its name because it was specifically designed as a tool for developers. It operates most like a combination traffic analysis and static application security testing (SAST) tool, identifying any vulnerabilities in the code or areas that could cause problems once deployed.

Although there is a complex backend regarding how the platform operates, it has an almost nonexistent footprint within an organization. It can integrate with almost any continuous integration (CI) system with the addition of just one or two lines of code. This includes Jira, Bamboo, Jenkins, Docker, TeamCity, Travis, GoCD, CircleCI or even internal or proprietary systems. The code simply links the development process with ShiftLeft so that developers can continue to work within whatever platform they are familiar with using. As such, it only takes a few minutes to deploy.

ShiftLeft Fail Code CSO

The ShiftLeft platform can be integrated into any continuous integration system like Jira, Docker, CircleCI, Jenkins, Bamboo and others. Most of the time, it only requires a single line of code.

Pricing for ShiftLeft is based on one of two factors: either how many developers are using the platform, like a seat license, or how many lines of code are being protected. There is also a free version that lets users see all of the features and use ShiftLeft to protect up to 200,000 lines of code.

How ShiftLeft works

ShiftLeft creates a graphic mapping how a program or application operates: For example, there might be an access portal sitting over an authentication layer that eventually ends at a database server. The graph includes things like open source libraries, application programming interfaces (APIs) and microservices. The platform uses this graphic to plot how a user or service would interact with and within the app and uses that to help discover vulnerabilities, policy violations and cybersecurity risks. This enables ShiftLeft to perform its analysis very quickly and consider the application as a whole entity instead of a set of individual datapoints.

Developers don’t actually see the graphs since they're not necessary to help fix code, so this impressive feature of the engine is largely hidden. Whenever a change to an app is requested, the platform will create a graph and then send it to the ShiftLeft cloud for analysis. All of the heavy lifting is done within the cloud, which is another reason why the analysis is so speedy. In our testing, an app with over 500,000 lines of code was fully analyzed in just one minute.

To continue reading this article register now

The 10 most powerful cybersecurity companies