The Santa Clara, California-based startup also closed a $9.3 million Series A funding round led by Bain Capital Ventures and Mayfield. Individual investors including Sanjay Poonen, COO of VMware; Tobias Knaup, CTO of Mesosphere; and Prabhu Goel, who co-created the hardware description language Verilog.
The company’s name comes from the idea of shifting security concerns to the left in the software development process. “We leverage the ability of CI/CD [continuous integration/continuous deployment] instead of being threatened by it,” explained ShiftLeft CEO and Co-Founder Manish Gupta.
What Is Security DNA?
The company’s new security-as-a-service software analyzes source code and extracts security-relevant details including vulnerabilities, sensitive data, policy information, and coding errors. ShiftLeft calls this “security DNA.”
It then uses this information to create a custom micro-agent to provide runtime protection for each application.
“And we do this every time your software changes,” said Gupta. “It could change once a month or 20 times a day. Then a custom agent gets installed alongside the cloud application while it is running in production and we protect it any time it deviates from that security DNA.”
Understanding of code at runtime allows ShiftLeft to identify an attack and point to the specific line of code that caused the issue, which means it takes less time to mitigate the threat. This code analysis also allows customer to find bugs and provide runtime protection for bugs not yet fixed, Gupta said.
The software is cloud agnostic, and can run in containers and virtual machines. “Because we are inserted alongside your application, it doesn’t matter if there is encryption,” Gupta said. “We are going to see what the application sees.”
ShiftLeft is offering the SaaS on a “try-and-buy” basis, allowing companies to use it free for 30 days before buying a subscription.
RASP Market Growing
Enterprise Management Associates analyst, David Monahan, said runtime application self-protection (RASP) is a growing market. He expects ShiftLeft’s technology, which is similar to what some advanced endpoint detection vendors are doing, to be well received.
“In a time when patching is such a big part of the security landscape and people are losing their jobs [Equifax] when software flaws are exploited,” Monahan wrote in an email. “The ability to proactively defend software from exploitation regardless of patches being available or not, is a key capability, especially for Internet-facing applications.”
The startup’s biggest challenge, Monahan said, will be in getting customers to adopt the agent on their production servers. “Companies are always leery of adding more agents to systems, especially in the high-volume servers,” he explained. “Messaging around application protection versus OS protection are going to be key.”