ShiftLeft ‘Illuminates’ Insider Attacks within Development Pipelines

ShiftLeft aims to let developers more quickly assess the risk profile of their CI/CD pipelines and codebase. ShiftLeft Illuminate is built with company’s Code Property Graph, an innovation in static code analysis technology.

Tags: CPG, developers, Illuminate, pipelines, ShiftLeft,

ShiftLeft is shipping a new offering to reduce overall risk to organizations' software codebase. 

ShiftLeft's Illuminate product and services can quickly analyze and identify insider attacks, as well as offer remediation advice. 


ShiftLeft builds security software with a developers-first approach by offering near-instantaneous security feedback on software code during every pull request. ShiftLeft's technology is purpose-built to insert security into developer workflows, providing the proper developer with the correct vulnerability information at the right time. 


 "Cybersecurity poses a difficult challenge to supply chains, as an organization may be affected by an attack on any other link in the chain," said Chetan Conikee, ShiftLeft's CTO, in a statement.


In a recent report, ShiftLeft noted 96% of developers report that disconnected security and development workflows inhibit productivity. Using a developer-centric application security workflows can decrease mean-time-to-remediation (MTTR) by as much as 5X, Conikee noted. This improves both security and developer productivity, he added. 


To respond to such increasing risks, ShiftLeft Illuminate is designed to help organizations eliminate insider threats within this vulnerable phase of the development pipeline.


According to Verizon’s 2020 Data Breach Investigations Report, “inside actors” are now responsible for nearly one-third of data breaches.

How ShiftLeft Illuminate Shines a Light on Pipeline Risk 

ShiftLeft Illuminate implements these AppSec techniques, making them easier for teams to adopt. Illuminate performs an architecture review to identify the most likely areas for an insider attack. It then creates a Code Property Graph (CPG) fingerprint of the relevant codebase and identifies sources, sinks and transforms to reduce exposure. 


Running algorithms on the CPG, Illuminate identifies insider attacks and business logic flaws, as well as potentially exploitable areas for insider attack, providing recommendations for reducing future risk. 


In the end, organizations can accurately determine if an insider attack has occurred in their source code. Illuminate also helps teams know what and where to monitor within application architecture in the future, according to Conikee.  


Among ShiftLeft's Illuminate's features are: 


A graph of graphs: The CPG combines many representations of source code into one queryable graph database. For example, the CPG merges graphs from the compiler (e.g., Abstract Syntax Tree, the Program Dependence Graph, etc.) into a single joint data structure. This lets the CPG understand the full flow of information across an application or service. It can map routes across custom code, open source libraries, SDKs, APIs and even microservices.


Data-flow tracker. This feature is interprocedural, so it is responsive to flows, context and fields. In addition, this operates on an intermediate code representation and can perform on-the-fly analysis. The data flow engine provides configurable heuristics as well, so a company can take into account components, maximum path length and number of computation steps.


High-Level Information Flows: With high-level programming languages such as Java, it is not sufficient to track single data flows between APIs to understand the high-level information flow. Information from multiple low-level flows is also needed. By combining descriptors (which describe where data comes from, where it goes, or how it is transformed) with primary data flow with its descriptor flow, ShiftLeft can derive high-level data flows and formulate rules for their classification.


ShiftLeft's execs note that while cyberattacks on the CI/CD pipeline have been "theoretical" for some time, high-profile breaches over the past year have underscored a clear and urgent need for attention to this area. 


"Recent cyberattacks have highlighted the importance of securing the software supply chain and ensuring that the software shipped is the same as the software developed," said Manish Gupta, CEO, ShiftLeft. "Identifying such 'insider attacks' goes beyond taint-based vulnerability analysis. ShiftLeft's Illuminate helps customers insert insider attack detection in the software supply chain to establish non-repudiation of the software shipped at every stage."


ShiftLeft Illuminate also provides Summary Reports for executive and senior level management, as well as Technical Reports of insider attacks, remediation advice and strategic guidance for longer-term improvement. Collectively, these reports demonstrate a comprehensive security assessment of the organization's software development pipeline to eliminate blind spots around software risk.