#BackedbyBCV: Baking Security In From The Start — Why I Invested In ShiftLeft

The ShiftLeft team (Photo: ShiftLeft)

4 min read November 9, 2017
Spotlight Infra

The post below was originally published on LinkedIn on November 8, 2017. In October 2017 ShiftLeft came out of stealth and announced Bain Capital Ventures as an investor.

By Enrique Salem, Managing Director, Bain Capital Ventures

I have been in the security industry for close to 30 years, and I am always thinking about the best way to change how security is done.

We security professionals are engaged in a never-ending contest with the bad guys who always appear better financed and who have fewer restrictions on how they operate. Our victories often seem elusive and fleeting. The explosive growth in the number of connected devices has only made things tougher.

Every year we see more evidence that the current approach to security isn’t working. Companies are unable to protect themselves from the increasingly complex threats because they are using outdated security tools. Perimeter- and endpoint-based approaches to security are no longer working in our cloud-based and application-centric world.

Unsecured Code Is Widespread

Criminals have been profiting from security failures, including use of unsecured code, for many years. A software analysis and measurement firm CAST analyzed more than 1 billion lines of code and found that a “significant amount” of unsecured code is currently in use and that the overall quality of too many mission-critical functions is poor.

To fight the criminals and to secure code, we at Bain Capital Ventures have looked at static and dynamic code analysis tools and runtime application self-protection (RASP) vendors. Unfortunately, we don’t believe any of these solutions will be embraced by both the DevOps community and the software developers. But where others have failed, we feel that ShiftLeft will be successful.

ShiftLeft — a cybersecurity startup — offers a unique approach to how security is built into applications. ShiftLeft has created a technology that allows the company to extract the security DNA of applications without creating burdens for the software development, DevOps, or the quality assurance (QA) teams. In short, they have baked security into the software development process in a low friction way, delivering security inside the app. I see that as a modern approach to delivering security in the application development process.

Extracting Security DNA

This dynamic startup is able to extract security relevant information right from the start and every time the application changes. This information is used to generate the application’s Security DNA, which then informs and drives runtime protection. Security DNA is the sum of everything in its code that affects its security.

ShiftLeft’s product protects the application from known and unknown vulnerabilities and data leakage. ShiftLeft’s innovative platform can:

  • Detect threats without affecting continuous delivery;
  • Catch vulnerabilities during build time and automatically protect against anything that falls through the cracks at runtime;
  • Prevent data leaks, including for hard to address scenarios such as when a developer unintentionally writes sensitive data to a third party application programming interface;
  • Enable safe open source software use by finding out if the software usage is causing contextual vulnerabilities; and
  • Reduce meantime to repair (MTTR) by pinpointing specific lines of problem code in runtime, thus eliminating costly debugging and freeing up the development teams to focus on building great software.

The uniqueness of ShiftLeft’s technology centers around its process of extracting the security DNA, its accurate focus on each individual application, and its ability to build runtime modules that can enforce policy controls without creating overhead. The big thing that the platform does, from my vantage point, is to remove the burden of security from the development and QA teams.

The ShiftLeft team has a great mix of experience. We feel that the team brings together security, DevOps, and open source expertise, which is unique in the application security market.

It is clear that there is still opportunity to drive innovation in how security is delivered in applications, and I truly believe that ShiftLeft is one of the real innovators in this security space.

Author Bio: Enrique Salem is a managing director at Bain Capital Ventures, focusing on infrastructure software and services with a specialization in cybersecurity. He has close to three decades of executive experience in technology and security, having previously served as the president and CEO of Symantec.

Originally published at www.linkedin.com

Related Insights