ShiftLeft, Inc. released ShiftLeft Illuminate,
a new solution that leverages ShiftLeft technology to identify insider
attacks, offer remediation advice and reduce overall risk to
organizations' software code base. While cyberattacks on the CI/CD
pipeline have been theoretical for some time, high-profile breaches over
the past year have underscored a clear and urgent need for attention to
this area. ShiftLeft Illuminate will help organizations eliminate
insider threats within this vulnerable phase of the development
pipeline.
According to Verizon's 2020 Data Breach Investigations Report,
"inside actors" are responsible for nearly one-third of data breaches.
Many of these insiders have touchpoints with source code, including
privileged IT administrators, disgruntled former employees and
managerial employees with administrative privileges who can commit code
without review. Organizations should also consider the threat from
business partners with access to code repositories and nation-state
actors weaponizing weaknesses of these parties.
"Recent
cyberattacks have highlighted the importance of securing the software
supply chain and ensuring that the software shipped is the same as the
software developed," said Manish Gupta, CEO, ShiftLeft. "Identifying
such ‘insider attacks' goes beyond taint-based vulnerability analysis.
ShiftLeft's Illuminate helps customers insert insider attack detection
in the software supply chain to establish non-repudiation of the
software shipped at every stage."
ShiftLeft Illuminate performs an architecture review to identify the most likely areas for an insider attack. It then creates a Code Property Graph (CPG) fingerprint
of the relevant codebase and identifies sources, sinks and transforms
to reduce exposure. Running algorithms on the CPG, Illuminate identifies
insider attacks and business logic flaws, as well as potentially
exploitable areas for insider attack, providing recommendations for
reducing future risk. Using Illuminate, organizations can accurately
determine if an insider attack has occurred in their source code,
helping them to know what and where to monitor within their unique
application architecture moving forward.
"Cybersecurity
poses a difficult challenge to supply chains, as an organization may be
affected by an attack on any other link in the chain," said Chetan
Conikee, CTO, ShiftLeft. "In general, individual nodes in a supply chain
(horizontally across SaaS vendors and vertically across the OSS stack)
bear the entire cost of their own cybersecurity investments, but some of
the benefits of the investments may be enjoyed by the other nodes as
well."
Organizations
using ShiftLeft Illuminate are armed with Summary Reports for executive
and senior level management, as well as Technical Reports of insider
attacks, remediation advice and strategic guidance for longer-term
improvement. Illuminate also provides Summary Reports for customers,
demonstrating a comprehensive security assessment of the organization's
software development pipeline to eliminate the blind spot around the
risk of software consumption that exists today.
For more information on ShiftLeft Illuminate, visit the website here.