Technology is accelerating at an unprecedented rate and companies with little digital footprint or experience in application security are struggling to keep up. With more and more breaches and vulnerabilities being detected in applications, people are shifting blame like it’s a game of hot potato. But it doesn’t have to be that way.
With Shifting Left Virtual Conference rapidly approaching, Rebecca Auguste sat down with the CEO of ShiftLeft, Manish Gupta, to discuss how developers and application security teams can better collaborate to increase application security efficacy. The two talked about ShiftLeft’s strategy, how innovation and security can be at odds with one another, adopting modern solutions and everything in between.
What is ShiftLeft?
ShiftLeft is a next generation application security company. As companies are moving rapidly adopting the cloud, developing software ever faster so they can deliver features to their customers and drive ever increasing revenue, in that race we are starting to leave security behind because we are still using legacy tools. The idea is we need to shift left and we have to start fixing vulnerabilities as early on as possible in the process thereby reducing our cyber risk.
Are innovations and security at odds with each other now?
Historically they have been. Use of legacy technologies in a modern pipeline forces customers to choose between being agile delivering feature functionality faster or getting better at security. At ShiftLeft we are starting to show through our customer successes that that choice doesn’t have to be that way. We can become more agile and we can become more secure.
Here are some important statistics from ShiftLeft customers:
- If you’re doing automated enforcement in ShiftLeft you are fixing 91.8% of the vulnerabilities
- If you’re not doing automated enforcement but you’re using a modern solution like ShiftLeft you’re fixing 58% of vulnerabilities in the first sprint.
- If you’re still stuck with a legacy solution, your team isn’t fixing 60% of the vulnerabilities ever – forget if it’s the first, second or third sprint. It becomes technical debt.
So why aren’t people adopting modern solutions like ShiftLeft and ditching legacy solutions?
Legacy solutions ask developers to slow down because they have to take a few hours to go scan and dump a long list of vulnerabilities. As the developer, seeing hundreds of vulnerabilities is like a deer in the headlights. Because it’s a mountain of work, it’s easy for developers to want to ignore the problems. The question shouldn’t stop at “what are our applications consisting of?” The real problem gets solved when we start asking what do our applications contain and what vulnerabilities do they have that can be exploited, therefore how quickly can we fix them. It’s all about moving to be proactive, not reactive.
How can development and security teams better collaborate to increase the efficacy of security with applications and software?
It’s extremely important for us to realize that developers are not responsible for security. Developers are measured, they are compensated to deliver feature functionality on time and to provide that feature functionality with minimum bugs. But bugs are not vulnerabilities. There is a lot of talk in the industry that developers should become responsible for application security. We aren’t there today but we can eventually.
There are two important application personas:
- Application security: Application security has a mile wide and inch deep knowledge of applications and who is compensated on app security improvements.
- Developers: Developers have a mile deep but inch wide knowledge of software because they are so focused on their own code.
Both personas are required because application security cannot fix vulnerabilities in applications, the developer must do that. But developers aren’t going to want to do that unless that work is prioritized by application security.
Key takeaway? Collaboration is essential to application security.
We need to create a workflow that allows application security to meet their end goals such as: What are the vulnerabilities of an application? What are the critical vulnerabilities? How can I provide these vulnerabilities to the developer in a developer workflow without asking them to go to a different console so they can fix vulnerabilities as quickly as possible? We need to start seeing a workflow that allows both application security and developer personas to work collaboratively to improve application security.
Shifting Left 2.0 is a two-day virtual conference taking place from 9 a.m. to 2 p.m. PDT on June 22nd-23rd that dives deep into application security in the modern tech space. To register for free and to check out the full agenda, visit the Shifting Left 2.0 website.