ShiftLeft Achieves Highest Ever SAST Score on OWASP Benchmark
Sep. 12, 2018
SANTA CLARA, Calif.--(BUSINESS WIRE)--Sep 12, 2018--ShiftLeft™ Inc., an innovator in application security, today announced the release of its stand-alone source code analysis product. The ShiftLeft Static Application Security Testing (SAST) product achieved a 75% score on the Open Web Application Security Project (OWASP) Benchmark for Security Automation, Version 1.2. Not only is it the highest SAST score ever recorded, but it is also nearly three times the commercial average score of 26% .
"Security has always been paramount, but traditional code analysis tools didn’t integrate into our CI/CD pipeline, created too many false positives and were just too slow,” said Harjot Gill, General Manager of Nutanix Epoch. “The accuracy and speed of ShiftLeft’s SAST enables Nutanix Epoch to automatically secure every release without slowing down new feature development.”
The software development life cycle (SDLC) has undergone dramatic changes that application security hasn’t kept up with. “ShiftLeft’s unique approach to analyzing source code allows us to understand software deeply, positioning us as a leader in application security focused on protecting the very source of software-driven innovation: applications. While the SDLC has achieved massive efficiencies from DevOps, cloud adoption, microservices architectures, containerization, etc., application security has been largely stagnant,” said Manish Gupta, ShiftLeft’s CEO and co-founder. “The legacy application security tools force customers to choose between innovation and security. Innovation is prioritized over security, and the resultant insecurity is clear via the constant data breach headlines.”
ShiftLeft’s SAST technology is fundamentally different. “Our approach is based on semantic graphing,” said Dr. Fabian Yamaguchi, ShiftLeft’s Chief Scientist. “We create one multi-layered graph that summarizes code on various levels of abstraction. This enables ShiftLeft to understand the context of what the application fundamentally is and is not supposed to do. From this basis, it becomes much easier to identify deviations as violations or vulnerabilities. In particular, this is critical for identifying complex vulnerabilities that are dependent on a series of conditions across various components that make up the application—for example, a third party SDK that is vulnerable to a deserialization attack when used in conjunction with a certain version of a library that can be found in either programming language or framework. Only by understanding how the components interact with each other can these sophisticated vulnerabilities be easily identified.”
“Furthermore, we’re able to understand abstract information layers instead of merely low-level data flows. So for example, instead of just knowing that code prints data, we also know sources, transforms, sinks, and protocols. Hence, identifying a database sending unfiltered data to http becomes much easier to flag as a reflected cross-site scripting vulnerability.”
View source version on businesswire.com:https://www.businesswire.com/news/home/20180912005289/en/
CONTACT: ShiftLeft™ Inc.
Rich Mullikin, 925-354-7444
KEYWORD: UNITED STATES NORTH AMERICA CALIFORNIA
INDUSTRY KEYWORD: TECHNOLOGY SOFTWARE SECURITY
SOURCE: ShiftLeft™ Inc.
Copyright Business Wire 2018.
PUB: 09/12/2018 08:00 AM/DISC: 09/12/2018 08:01 AM