DEV Community

Vickie Li for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

Announcing ShiftLeft CORE — A Code Security Platform

Announcing ShiftLeft CORE — A Code Security Platform

We are excited to announce the launch of our new platform — ShiftLeft CORE! The word platform is often overused and misused. Many companies rename their existing products and acquisitions, rearrange their web pages, and call themselves a platform provider. The products often don’t work together. They might even require separate setup and onboarding, and in most cases, they are just fundamentally different products with some duct tape around them!

When we were working on our new offerings and thinking about how to position them, we thought long and hard about whether we are truly a platform or are we just doing a wordplay to make our product line look “mature”. Our team felt that to call ourselves a platform, we need to meet certain criteria:

  1. The components of the platform should all work off the same underlying technology
  2. Customers shouldn’t have to do anything extra in order to use the different components in the platform
  3. Customers should be able to use all the components in a similar workflow

We believe that, in CORE, we do all these and more. Let’s see how.

Our underlying technology

All of our platform components are built on top of our core technology — the code property graph. What this enables our customers to do is unique — with a single insertion, ShiftLeft CORE conducts multiple analyses on the same application code versus running multiple analyses using multiple products. This includes OWASP Top 10 vulnerabilities in custom code, secrets detection, security insights, and a brand new capability — Intelligent SCA.

ShiftLeft CORE is also designed to fit seamlessly into the developer’s pull request-based workflow that decreases MTTR (Mean-time-to-repair). This has enabled ShiftLeft customers to go from analyzing once in months to analyzing multiple times per week.

Let’s take a look at the various modules in the platform.

Static Code Analysis

ShiftLeft Nextgen SAST (NGSAST) is the highest scoring SAST on the OWASP benchmark and constantly outperforms the competition in speed of analysis. NGSAST supports multiple languages: Java, C-Sharp, Python, JavaScript/TypeScript, Scala, Python, Go, Terraform, and many other languages that are upcoming. It covers OWASP Top 10 and CWE Top 25 along with a range of language-specific vulnerability categories.

Intelligent Software Composition Analysis

ShiftLeft Intelligent SCA uses the concept of “Attacker Reachability” to prioritize only a subset of OSS vulnerabilities for mitigation. It can trace code paths that can potentially lead attackers from insecure inputs directly to open source vulnerabilities, using the power of Code Property Graph. Based on a ShiftLeft study, customers were able to reduce the number of open-source vulnerability tickets by more than 93%.

Secret Detection

ShiftLeft detects Secrets, or hard-coded values (e.g., client Secrets, username/password combinations) and sensitive information (e.g., phone numbers and addresses). Unlike “grepping” for these patterns that lead to false positives, the use of Code Property Graph identifies when secrets are being leaked without proper transformation or obfuscation.

Security Insights

Security Insights are potential security issues in the code that may not be vulnerabilities today but are bad practices based on industry best-practice. For example, using libraries or methods that are known to pose a security risk unless used properly.

ShiftLeft Educate

Another new offering, ShiftLeft Educate provides developers with in-context education to help them mitigate security vulnerabilities. E.g., for an XSS vulnerability reported in a Java application, targeted training is provided on how to fix XSS vulnerabilities in Java. What’s more, the developer can learn, fix the vulnerability, analyze it again, and get immediate feedback on whether the fix worked!

Unified Experience

All these components work together and seamlessly — both from a workflow perspective and from a user experience perspective.

Sign up for a free account today to experience all these features, or attend one of our technical webinars to learn more.


Top comments (0)