Security vendor ShiftLeft said today that it raised $20 million in Series B funding, bringing the startup’s total to almost $30 million. Thomvest Ventures and SineWave led the Series B, with existing investors Bain Capital Ventures and Mayfield also participating.
The new investment comes less than 18 months after the startup’s Series A, which raised $9.3 million. ShiftLeft CEO and co-founder Manish Gupta told SDxCentral that he expects more rounds in the future. The latest funding will be used to build adoption of the platform and the applications it covers. The company also will build its global sales and marketing initiatives. Along those lines, it hired Jim Sortino as vice president of worldwide sales. Sortino previously worked atTrend Micro and Dome9 Security.
ShiftLeft launched in October 2017. A year later – last September — ShiftLeft’s technology scored a true positive rate of 100 percent, with 25 percent false positives in the Open Web Application Security Project (OWASP) Benchmark for Security Automation, Version 1.2 testing. That beat the commercial average by 45 percent, according to a company white paper.
Identifying the Problem
ShiftLeft, whose customers include Nutanix, Raytheon, and Tavant, works from the inside out. Instead of focusing on guarding the perimeter around an application, ShiftLeft uses what it calls its code-informed runtime protection to understand the vulnerabilities in an application that malicious software may try to exploit and, using that as a guide, create defenses that keep the malicious code from doing damage.
Gupta’s explanation of what the technology does is complex on one level but simple on another. The core is the Code Property Graph. It creates a precise portrait of the application being protected. Elements mapped include abstract syntax trees, control flow graphs, call graphs, program dependency graphs, directory structures and others, he says. This enables ShiftLeft to understand the context of the application, allowing it to identify deviations and, if they are vulnerabilities, take action.
The idea is that the best way to protect applications is to know where they are weakest. “This is especially critical for identifying complex vulnerabilities that are dependent on a series of conditions across various components that make up the application,” he wrote in an email to SDxCentral. “Only by understanding how these components interact with each other can these complex vulnerabilities be identified.”
The deep information is used to give microagents their marching orders. “The microagent knows exactly where the application is vulnerable and where it is not vulnerable,” Gupta wrote. “This means the microagent can be much more precise in how it protects the application (through blocking or alerting, etc.) so the impact on latency is minimal, and the memory and CPU footprints are also quite small.”
Gupta suggests that the ShiftLeft is particularly relevant in a DevOps world. Security in this fast-paced environment is incompatible with traditionally slow app security processes. “By combining code analysis with runtime protection, ShiftLeft can automatically deploy code-informed microagents for every versions of every software release that know exactly how each application is vulnerable, and thus, how to protect it most effectively. This fully automated process integrates into a DevOps pipeline,” he wrote.
The company also today announced an advisory board. It consists of Bob Flores (former CIA CTO), Craig Rosen (CISO of AppDynamics), Shahar Ben Hador (CIO of Exabeam), Aaron McKeown (head of security engineering and architecture at Xero), Manish Arya (founder and CTO of Tavant) and Yonatan Ryabinski (chief enterprise architect at Vanguard).
Other Security Funding
In other security firm funding news, PerimeterX this week secured $43 million in its Series C. The round is led by Scale Venture Partners, with participation from Adams Street Partners, Canaan Partners, Vertex Ventures and Data Collective. Scale Venture Partners’ Ariel Tseitlin has joined the company’s board.
The company protects enterprises against takeover from brute force botnet attacks. GrubHub, Puma, Skyscanner, Zillow, and many Fortune 500 organizations use PerimterX’s platform to defend against cybersecurity threats. The company says it will use the new funding to expand its product portfolio.