Market Overview

ShiftLeft Demonstrates Comprehensive Application Protection in the First Test of Its Kind

Share:

In the 14-day test, ShiftLeft completely protected an application by
preventing all exploit attempts

ShiftLeft™ Inc., an innovator in application security, today announced
the industry's first public real-world benchmark of its continuous
application security solution. The test measured ShiftLeft's ability to
protect a vulnerable application against exploit attempts made by some
of industry's best white-hat hackers. Cobalt.io, the leader in Pen
Testing as a Service, performed the penetration testing to provide
ethical hacking expertise and an objective third-party perspective.

Lab-based testing provides standardized results, but it cannot emulate
the unpredictability of human-driven real-world hacking scenarios. In a
lab, common tools may be used to probe the application for potential
weaknesses. In the real world, these tools merely inform the attacker,
who then seeks to exploit subtle nuances using more complex attacks.

"ShiftLeft's ability to analyze an application in development, in order
to automatically protect it in production, enables the company to
benchmark themselves in unique ways," said Vik Phatak, CEO of NSS Labs.
"This aligns well with the fast pace of the modern software development
lifecycle."

The testing methodology started by developing an application that
included six (6) of the relevant OWASP Top 10 vulnerabilities, including:

         
OWASP Category       Vulnerability Type
A1-Injection       SQLi
A2-Broken Authentication       HTTP secure cookie
A4-XML External Entities       XXE
A5-Broken Access Control       Path traversal
A8-Insecure Deserialization       Java deserialization
A9-Known Vulnerabilities       Known OSS vulnerability
     

Next, two instances of the application were created. One instance was
hosted without any security protection. Another instance was protected
by ShiftLeft, which extracted the application's security DNA in order to
create a custom security profile that protected the application in
runtime.

Finally, Cobalt.io performed a 14-day penetration test against both
applications. Cobalt.io had 3 white-hat hacking experts attack both
applications with any and all tools and methods. Cobalt.io was able to
find and exploit all 6 vulnerabilities in the unprotected test
application. However, the application protected by ShiftLeft could not
be exploited during the test.

"After discovering several vulns in the unprotected application, our
experts could no longer exploit in-scope vulns with the ShiftLeft
protection in place," said Brian Levine of Cobalt.io.

"Legacy security products are tested in a legacy fashion: in a test lab,
where known tools throw known attack patterns to see if the security
products can detect the attacks. This does not represent the real world,
where the hackers are not limited to using known tools," said Manish
Gupta, CEO and co-founder of ShiftLeft. "At ShiftLeft, our mission is to
protect the application without ever reacting to threats. I am excited
to see the positive results of this test, as they demonstrate the power
of the ShiftLeft solution."

About ShiftLeft

ShiftLeft™ Inc., is an innovator in application-specific cloud security,
delivering the industry's first fully automated Security-as-a-Service
(SECaaS) solution that understands the unique security needs of each
version of each application and creates custom security and threat
detection for it. With ShiftLeft, DevOps can make threat detection part
of their continuous integration/continuous deployment (CI/CD) process.
ShiftLeft's approach allows teams to both protect their applications
immediately and enhance the security posture of their code. The company
was founded by a team with extensive backgrounds in security and cloud
infrastructure who were early innovators of technologies such as
sandbox, Next Generation Firewall, Next Generation Electronic Payment
network and Fraud Modeling, and several open source initiatives.
Headquartered in Santa Clara, Calif., ShiftLeft is backed by Bain
Capital Ventures and Mayfield. For more information, see https://www.shiftleft.io/.

View Comments and Join the Discussion!