The company introduced automated testing workflows to its NextGen Static Analysis, for higher developer accountability with respect to security testing, detection and prevention in software development lifecycle.
ShiftLeft has announced the release of an upgraded version of its code analysis solution for developer workflows. Upgrades to the NextGen Static Analysis (NG SAST) are part of the company’s endeavor to instill the practice of detecting and preventing any problems, security flaws or vulnerabilities in application code early on in the software development lifecycle or DevOpsOpens a new window by testing as early as often possible. In other words, NG SAST drives AppSec and DevOps professionals to ‘shift left’, i.e., where the requirements of the software are noted on the development plan.
Learn More: Role of DevOps and Automation in the Software-Defined NetworkOpens a new window
Upgrades to ShiftLeft’s NG SAST are expected to improve security of any in-progress software development, while enhancing productive yield out of developers all the same. It is an automated process integrated directly into the SDLC enabled through continuous testing, continuous deploymentOpens a new window .
This is a move away from legacy security implementationOpens a new window practices wherein 96% developers felt decoupled development and testing practices hamper productivity.
Izak Mutlu, former VP of Information Security at Salesforce said, “Deprioritization of security has been the most common approach to balancing AppSec with developer productivity because automating security in developer workflows has historically been prohibitively expensive for all but the most elite security organizations.â€
The tradeoff for security against speed is quite low at 14%Opens a new window for immature DevOps and at 35%Opens a new window for maure DevOps.
Learn More: Avoid Application Security Fails With 5 Automation TechniquesOpens a new window
On being asked whether developers resisted the shift left in SDLC and early, automated testing approach, Toufiq Ali, the Principal Cybersecurity Engineer at Emirates Group said, “Software developers are at the core of engineering and they need to know what we are doing and why we are doing it. So, it is very important to have this dialogue with your developers. I don’t think they resist the approach, it’s just the idea of change.â€
NG SAST now incorporates automated developer-security workflows whose fundamental purpose is to inculcate productive developer engagement within the SDLC security context. With it, developers can be steadfast on the quality aspect of development without compromising on timely delivery, maybe even reducing mean time to remediation (MTTR). A spokesperson for ShiftLeft said, “This developer-centric approach to code analysis greatly increases security and productivity by delivering the right vulnerability to the right developer at the right time.â€
Talking to Toolbox exclusively, Manish Gupta, CEO and Founder of ShiftLeft said, “The long-term shift to remote work and a greater sense of urgency to innovate is putting renewed velocity pressure on the software development lifecycle. The challenge of releasing software faster means that increasing developer productivity is imperative to improving security without slowing down innovation. Our customers’ results show that integrating developer and security workflows at pull requests enable developers to work most efficiently and drive the biggest security gains.â€
Learn More: Security and Speed, Two Opposing Priorities Can Co-Exist in DevOpsOpens a new window
New automated developer-security workflows in ShiftLeft NG SAST engages developers for DevSecOps as follows:
- Automate code analysis with every pull/merge request
- Deliver immediate and accurate security feedback directly to each developer making the change
- Enable developers to fix vulnerabilities, in the same way they address bugs, without leaving their development environment
- Enable AppSec teams to write security-focused build rules that accept or deny merges, thereby allowing AppSec to scale
- Help developers adopt secure coding best practices through Security Insights
- Eliminate manual scanning bottlenecks with unlimited concurrent scans
- Protect intellectual property by scanning without taking source code outside of their organization
- Rapidly deploy with self-service on-boarding that doesn’t require network architecture updates, new firewall configurations or expensive professional services
- Further customize workflows through comprehensive APIs
Thomas Heuckeroth, VP CyberSecurity at The Emirates Group said, “ShiftLeft’s NextGen Static Analysis gave us the speed and accuracy that we needed to create security feedback loops for our development team without altering their workflows. By scanning every pull request our software engineers are able to fix vulnerabilities far more efficiently. Not only are we seeing month-over-month decline in MTTR, but it’s now common for vulnerabilities to get fixed in the same sprint they are found and, most importantly, our engineers really like the process.â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!