Nearly three years ago, Chetan Conikee, Manish Gupta, and Vlad A. Ionescu put their collective heads together to develop a software platform that provided robust, code-level security to app developers without adversely impacting workflows. It evolved into software called ShiftLeft (and a namesake Santa Clara startup), which combines vulnerability-detecting static code analysis with app-preserving instrumentation. Since ShiftLeft’s emergence from stealth in 2017, the company has expanded to meet what it describes “healthy” demand for its product, and today, it announced new funding that’ll lay the groundwork for future growth.
ShiftLeft says that it has secured $20 million in series B financing led by Thomvest Ventures and new investor SineWave Ventures, as well as existing investors Bain Capital Ventures and Mayfield. It comes less than 18 months after the company raised $9.3 million in a series A round, and brings its total capital raised to nearly $30 million.
Gupta, who’s formerly chief product and strategy officer at FireEye and vice president of product management at Cisco, said the fresh capital will be used to “drive broader adoption” of ShiftLeft’s runtime production and to “expand” the breadth of its product portfolio, app coverage, and global sales and marketing efforts.
“Our founding vision is that application security needs to be a seamless part of the development process, not an afterthought,” he said. “The problem has long been inaccurate tools and a heavily manual process, leaving security and development teams frustrated and applications vulnerable. ShiftLeft completely upends this paradigm, delivering automated and customized protection for every software release, and the analytics dev teams need to improve on the overall security posture.”
ShiftLeft’s core security-as-a-service offering obviates the need for traditional code-checking security software, Gupta claims, because it conducts a study of apps’ and services’ code and dependencies before runtime and creates an “agent” that protects against exploits as they crop up. It supports virtual machines, cloud infrastructure, containers, and other environments, and automatically identifies external data leakages and shields new versions of programs as they’re deployed.
Perhaps better still, ShiftLeft shows detailed information for each vulnerability, such as line-of-code and maps of data flows, and autonomously implements fixes not just in code, but in open source libraries and commercial software development kits (SDKs). Additionally, it supports custom queries and allows users to save those queries as a policy and run them against apps regardless of programming language.
The secret sauce is what Gupta calls the Code Property Graph (CPG), a technology that leverages semantic graphing to create a multilayered graph summarizing code on various levels of abstraction, including abstract syntax trees, control flow graphs, call graphs, program dependency graphs, and directory structures. This enables ShiftLeft’s platform to understand the context of apps and to identify deviations as vulnerabilities.
Gupta says that ShiftLeft achieved 75 percent on Open Web Application Security Project (OWASP) Benchmark for Security Automation — the highest score ever recorded — and that it enables the average developer to analyze 500,000 lines of code in less than 10 minutes,
“Security has always been paramount, but traditional code analysis tools didn’t integrate into our … pipeline, created too many false positives and were just too slow,” Harjot Gill, general manager of Nutanix Epoch, a ShiftLeft customer, said. “The accuracy and speed of ShiftLeft enables Nutanix Epoch to automatically secure every release without slowing down new feature development.”
ShiftLens is a paid service, but offers a free 30-day trial.