"We extract what we call the software's security DNA"

“We extract what we call the software’s security DNA”

Eyes right. US start-up ShiftLeft has emerged from stealth and wants to shift enterprise cloud security strategy from reactive to preventative.

Enterprise Cloud News (Banking Technology‘s sister publication) reports that ShiftLeft is an alternative to finding vulnerabilities and attacks as they crop up and defending against them. Instead, ShiftLeft’s service scans application and microservices source code to determine how an application should work.

“We extract what we call the software’s security DNA,” Manish Gupta, ShiftLeft co-founder and CEO, tells Enterprise Cloud News.

Then ShiftLeft deploys customised runtime agents that watch application behaviour and block unexpected activity that could indicate an attack.

ShiftLeft came out of stealth mode after raising $9.3 million from Bain Capital and Mayfield, and from individual investors.

The name comes from the company’s philosophy – shifting security left in the application and microservices deployment process.

Gupta was previously head of products and strategy for security provider FireEye, and before that worked on Cisco’s and McAfee’s security business, with 15 years experience in the security field. That experience has given him the perspective to see where conventional security is lacking, he says.

“By focusing on threats, security is inherently reactive,” Gupta says. “We are essentially giving the first move to the bad guy.”

The shift of enterprise software to the cloud gives an opportunity to change the way organisations approach security, and change who’s responsible for providing that security, Gupta says. Previously, enterprises licensed software from third-party vendors, and ran that software on the enterprise’s own premises. The enterprise didn’t have access to software source code, and therefore couldn’t completely protect itself.

But now, more and more applications are provided as Software-as-a-Service (SaaS), or as open source or custom software running in a private or managed cloud. The organisation that runs the software has access to source code, and can use that source code as the basis for ShiftLeft scan.

ShiftLeft’s customers are SaaS providers and enterprises running software on private clouds, Gupta says.

The firm’s approach – identifying normal behaviour and tagging unusual activity that might indicate an attack – isn’t unique. Oracle is using a similar technique in the security component of Oracle Management Cloud.

VMware is using the approach in its AppDefense service, launched in August. And it’s the basis for the security component of Cisco’s “network intuitive” strategy.

But Gupta says its service is different because it operates earlier in the application lifecycle, looking at the source code to determine correct behaviour rather than watching the application after it’s already deployed.