ShiftLeft announced the general availability of its security-as-a-service platform for Microsoft’s .Net Framework. .Net developers can now leverage the commercial source code analysis solution with an OWASP Benchmark Score of 75 percent to create custom security profiles that protect their applications in runtime.
As enterprises modernize their software development practices (such as methods, cloud infrastructure, open source libraries, DevOps automation and microservice architectures), their efficiency gains in feature release velocity strain traditional security practices, which have remained manual.
“.Net Core’s cutting edge developer toolset has attracted development teams that want the latest and greatest,” said Gabe Monroy, Lead Program Manager for Cloud Native Compute at Microsoft Azure.
“ShiftLeft’s ability to remove manual security bottlenecks by fully automating continuous application security across development and production gives .Net developers another leg up on the competition.”
The prevalent vulnerability for .Net applications is information leakage, such as pushing critical data to external logs, code repositories or databases.
Unlike traditional approaches to identifying data leakage, which rely on inaccurate pattern-matching, ShiftLeft plots data flows from inside the application. ShiftLeft identifies which objects and variables are critical and plots their path across sources, transforms and sinks whether they be microservices, open source libraries, commercial SDKs or third-party APIs.
“With Europe’s GDPR, and states like California adopting similar privacy laws, data protection is no longer just finance and healthcare’s problem. The types and volume of data that must be treated as critical is skyrocketing for all industries,” said Chetan Conikee, ShiftLeft CTO and Co-Founder.
“ShiftLeft now enables .Net developers to automatically determine whether or not the new release is inadvertently leaking data, such as logging device tokens in Splunk or unencrypted credit card numbers in S3.”
As .Net Core and Azure have embraced open source, the adoption of open source libraries in .Net applications is growing rapidly. Based on recent statistics from NuGet (package manager for .Net), there exist 127,558 packages at a peak of 11 billion downloads to date initiated by application developers/vendors.
Vulnerabilities discovered in open source packages may affect the applications that include them. Upon the disclosure of every new vulnerability, the application developer has to assess whether such a vulnerability is exploitable in the particular usage context of their applications—a task that is manual and can take several hours per vulnerability.
ShiftLeft’s information flow tracker is designed to analyze both the source code of the application and its libraries as a single unit in order to determine if an input can (or cannot) trigger a vulnerability. This is accomplished within minutes of ShiftLeft analyzing a new release.
“Until now, .Net security teams have been faced with a terrible choice: slow down innovation or release insecure code,” said Manish Gupta, ShiftLeft CEO and Co-Founder.
“In less than 10 minutes, the Code Property Graph can identify why and where an application is vulnerable during the build process and block exploit attempts in production, if a vulnerability is not fixed. This means that even the most advanced CI/CD environments can now release as fast as they want to without ever worrying about security slowing them down.”