Review: How ShiftLeft catches vulnerabilities during code development

When cybersecurity experts talk about shifting the fixing of problems to the left, they mean moving that process closer to the birth of the code, which is always at the extreme left side of an application-making flowchart. Errors that are discovered on the right side of that chart, or once an application is already deployed, are costly and could contribute to a data breach. Ideally, code is fixed farther to the left, when it’s still being actively developed.

It’s probably no surprise then that the ShiftLeft platform got its name because it was specifically designed as a tool for developers. It operates most like a combination traffic analysis and static application security testing (SAST) tool, identifying any vulnerabilities in the code or areas that could cause problems once deployed.

Although there is a complex backend regarding how the platform operates, it has an almost nonexistent footprint within an organization. It can integrate with almost any continuous integration (CI) system with the addition of just one or two lines of code. This includes Jira, Bamboo, Jenkins, Docker, TeamCity, Travis, GoCD, CircleCI or even internal or proprietary systems. The code simply links the development process with ShiftLeft so that developers can continue to work within whatever platform they are familiar with using. As such, it only takes a few minutes to deploy.

CSO

Pricing for ShiftLeft is based on one of two factors: either how many developers are using the platform, like a seat license, or how many lines of code are being protected. There is also a free version that lets users see all of the features and use ShiftLeft to protect up to 200,000 lines of code.

How ShiftLeft works

ShiftLeft creates a graphic mapping how a program or application operates: For example, there might be an access portal sitting over an authentication layer that eventually ends at a database server. The graph includes things like open source libraries, application programming interfaces (APIs) and microservices. The platform uses this graphic to plot how a user or service would interact with and within the app and uses that to help discover vulnerabilities, policy violations and cybersecurity risks. This enables ShiftLeft to perform its analysis very quickly and consider the application as a whole entity instead of a set of individual datapoints.

Developers don’t actually see the graphs since they're not necessary to help fix code, so this impressive feature of the engine is largely hidden. Whenever a change to an app is requested, the platform will create a graph and then send it to the ShiftLeft cloud for analysis. All of the heavy lifting is done within the cloud, which is another reason why the analysis is so speedy. In our testing, an app with over 500,000 lines of code was fully analyzed in just one minute.

No actual application code ever leaves the organization, just the graph data. And that data is heavily encrypted. That should satisfy most organizations, but for those that are especially wary or under strict regulations that don’t allow any data to leave their networks, ShiftLeft analysis can be done on premises. Data generated by the platform can also be sent via API to a security information and event management (SIEM) tool. This might increase scan times and would also eliminate the use of the cloud-based ShiftLeft control panel and user interface, but it works if it has to be done that way.

Most developers will instead get a report about any vulnerabilities that ShiftLeft has discovered and be provided a link to read a more detailed description. The link will take them to their ShiftLeft login screen where they enter their credentials, or will drop them right into the interface if they are already logged in for the machine where they are working.

CSO

Testing ShiftLeft

The main dashboard for ShiftLeft is highly graphical and divides up vulnerabilities using the traditional metrics where each problem is assigned a critical, moderate or informational (low priority) designation. Everything is clickable and drilling down into a problem or potential problem is easy.

CSO

ShiftLeft is extremely detailed when describing a discovered problem or vulnerability. It shows the specific problem discovered, the severity of the issue, and the lines of code involved. It also separates pre-existing problems from newly discovered ones, such as those that were created due to recent changes in the application’s code.

The platform does a good job of explaining why a vulnerability is dangerous and how to generally go about fixing the problem. This explanation section includes links to helpful sources like the Open Web Application Security Project (OWASP) that offer more detail about the specific issue discovered. And if a company has a preferred source of information, like an internal cybersecurity database, administrators can add their own links.

One of the more impressive features of the ShiftLeft platform is its ability to discover not only actual cybersecurity problems, but also potential trouble spots hidden within the code. To test this, we loaded up an application that was designed to help sort medical records at a hospital or clinic. We added what should have been a simple command line, asking the application to create a log file of its activities. ShiftLeft identified this as a dangerous potential problem and blocked the change.

CSO

Diving into the problem, it was clear that ShiftLeft flagged our new command because there was no verification or authentication process associated with it. The ShiftLeft platform, working though the graph that it created to represent the app, discovered that without any authentication, a malicious user could perhaps manipulate the new command using code injection to view log files or even compromise patient data. Since this was a healthcare application, it would be subject to Health Insurance Portability and Accountability Act (HIPAA) regulations. This elevated the potential problem to a critical vulnerability, since protected patient data could be exposed.

CSO

The platform explained the potential problem and the reason for the severity and suggested a few relatively easy fixes, mostly by adding authentication or generating a log file in a different way. Once fixed, ShiftLeft checked to make sure that adding the command was accomplished in a secure way.

The bottom line

Shifting the discovery and fixing of application vulnerabilities closer to the development process is a goal that most enterprises should embrace. Not only does doing that reduce the possibility of a data breach, but it is also less costly and time consuming than waiting until later. However, this means that tools must be designed for use by the developers, and that is what ShiftLeft has accomplished with their platform.

ShiftLeft works with nearly any language and CI system, is very easy to use, and integrates directly into the development process without any additional training needed. It would be a welcome addition for any organization trying to get an early start on fixing vulnerable code long before it reaches a production environment.