ShiftLeft’s AppSec tool secures vulnerabilities that attackers are likely to exploit

Today, application security testing platform ShiftLeft announced that it had raised $29 million in additional funding from SYN Ventures and Blackstone Innovations Investments, which will be used to accelerate product development and expand the solution’s coverage of cloud native application architectures and languages. 

ShiftLeft’s AppSec code security platform, ShiftLeft Core, enables enterprise’s to use static application security testing (SAST) and software composition analysis (SCA) to scan application code and third-party libraries for security issues and vulnerabilities. 

The solution searches for vulnerabilities from the perspective of an attacker and prioritizes them based on those threats an attacker is most likely to compromise, while providing developers with step-by-step guidance on how to remediate them. 

For enterprises, ShiftLeft provides a solution that enables security teams and developers to quickly identify application-level vulnerabilities, so they have more time to spend writing high-performance, secure application code. 

Making the AppSec experience more user-friendly  

The announcement comes as more organizations are struggling to secure the applications used within their environments, with research showing that 34% of applications had a serious vulnerability in 2021, an increase of 21% from 2020, while 13% of applications had one to two serious vulnerabilities. 

For this reason, many organizations are turning to application scanning solutions to find and mitigate these vulnerabilities before an attacker can. The problem is that most traditional SAST solutions offer little assistance to prioritize the high volume of vulnerabilities discovered. 

“Most applications have more vulnerabilities than can be reasonably addressed by security and development teams. But not every application vulnerability needs to be fixed,” said Manish Gupta, CEO and cofounder of ShiftLeft.

“Traditional SAST and SCA solutions simply produce lists of hundreds or thousands of vulnerabilities, only prioritized based on CVE criticality. ShiftLeft takes a modern approach where we look at applications as a whole, including their custom code and open-source dependencies, to uncover all of the vulnerabilities in the code,” Gupta said. 

Gupta also explained that the ShiftLeft CORE platform analyzes an application’s data flows to identify which vulnerabilities can be exploited by the attacker. This prioritization model means that developers don’t have to waste time mitigating low-risk vulnerabilities or sifting through false positive alerts. 

According to Gupta, it’s a model that’s highly effective, enabling ShiftLeft customers to fix 92% of their riskiest vulnerabilities in less than 20 days. 

The AppSec market  

ShiftLeft’s growth has occurred alongside the development of the wider application security market, which researchers valued at $6.2 billion in 2020, and estimate will reach a value of $13.2 billion by 2025, as cybercriminals target business applications. 

The provider is competing against a range of other application security vendors organizations including legacy providers like Veracode, a nine-time Gartner Magic Quadrant Leader in Application Security Testing.

Veracode offers a solution for enterprises to conduct SAST, SCA, Dynamic Application Security Testing (DAST), public web application scanning, and manual penetration testing. Earlier this year, the company announced it had grown its revenue by 13% and has fixed over 16 million security flaws to-date. 

Another recent entry to the market that’s competing with ShiftLeft is Snyk, a developer security platform, which most recently raised $530 million and achieved a valuation of $8.5 billion.

Snyk uses security intelligence to continually scan, identify and automatically fix vulnerabilities in developer’s code.

Currently, the main differentiator between ShiftLeft and these competitors is its emphasis on prioritizing vulnerabilities that attackers are most likely to exploit. This approach means that developers can focus on finding fixes for the risks that cybercriminals are most likely to exploit.