Hot on the heels of winning the Security Trailblazers Award, ShiftLeft’s CEO Manish Gupta talks to Chief Trailblazer Rose Ross at RSA Conference 2020 in San Fransisco. Manish explains how ShiftLeft has drastically improved the efficiency and effectiveness of code analysis.
He also explains how the passion to solve a particular problem should be at the core of a startup. As he says “ideas are a dime a dozen, it’s the execution that’s super important for a startup”. Listen to the full podcast at:
RR: I’m here with Manish Gupta who is the CEO and founder of ShiftLeft. Welcome and hello Manish, its lovely to meet you, and congratulations on your win! Fresh out of the gate, only announced on Monday, and here you are at RSA.
MG: Super excited, thank you so much. Thank you to your readers, and your panel for selecting us. We couldn’t be prouder for where we are.
RR: Brilliant, and it’s a nice way to kick-off the RSA week, because it’s always a tough one, always a tough one. We were chatting just before the start of this, about where you come from and the success you’ve experienced with FireEye, the stuff that you’ve done at Cisco, and McAfee. So RSA is in your blood now as a conference and a place to be.
Could you perhaps give us a brief description of ShiftLeft, because as we were about talking earlier, ShiftLeft is not just your company, it’s also a way of thinking, it’s a position, a mission, within the IT community now. So, tell us a little bit about where the idea came from, and what it’s all about.
MG: Indeed, let me take you a little bit back on my journey through FireEye, Cisco, and McAfee, because that’s very relevant. Across those three companies, about 16 years, I spent detecting viruses, worms, nation state attackers, modern malware, at FireEye. It was circa 2015 when I was talking to customers, and everyone was telling me that they’re developing more software, and they’re developing it ever faster. What’s more is people are increasingly, companies are increasingly, deploying that software in the hybrid cloud, AWS, Azure. When I looked at that it was like everything around us is being driven by software, whether it is applications, whether it is mobile applications, whether it is self-driven cars.
Having been in security for about 15-16 years, I also knew that there is no way we are going to get better at security if we continue to react to threats. Why? Because we see way too many of them every day, it’s about 350,000 pieces of new malware are seen every day. So, if you’re reacting to those threats, you’re allowing the bad guy to shoot first, and then you’re trying to react. So, that’s when I felt that if we’re going to get better at security we have to fundamentally shift security left, which means that we have to allow, we have to enable, developers to develop software more securely.
As I came to the realisation, the next step was, okay, well now that I believe that’s what needs to happen, what are the solutions that are available in the marketplace? What I found was, all the solutions that the customers were using were about 15 to 20 years old, and even the software development has changed so significantly in the last five years. Using all of these legacy sort of code analysis solutions was creating a lot of friction; they’re very slow, they’re very inaccurate, and so the whole process of running code analysis, looking at the scans, prioritising them, takes too long. As a result many companies, what they do is, they’re developing perhaps and releasing on a daily or a weekly basis, but they’re only doing code analysis once a month because it’s so time consuming.
And so that is what gave rise to ShiftLeft, to, for the first time, come up with a code analysis solution that is built for the modern software development life cycle. So in 2016 when we started the company, we called it ShiftLeft which back then was a very rarely used or understood term, and yes we’re very excited to fast forward in 2020, and it’s like a verb being used by many customers across the globe. I constantly run into even larger companies who are saying, ‘Manish, we have an internal project called ShiftLeft’. So, it’s great.
RR: Yes, very much ahead of the curve there. That was your focus and it’s obviously been inspired by your conversations, many, many, many conversations when you were working at FireEye and obviously taking that from an idea to a reality, and obviously we’d like to think that the accolade that you’ve received is a reflection of what you’ve achieved, because it’s not just about having a great conceptual product, but it’s also how you’re taking that to market, and making that a difference. So, for software development teams who have embraced Agile development, you now also have a platform that allows them to do that securely, but without the hinderance perhaps of some of the lag that they were experiencing before.
MG: Indeed, ideas are a dime a dozen, I think it’s the execution that’s super important for a startup to get to where we’ve gotten to, and execution is of course dependent heavily on the team. So we’re very, very fortunate to have put together the team that we have put together; brilliant minds, very passionate, very competent to this very notion of how we’re going to shift security left. And yes, to your point we now have a platform. We are now helping customers to do code analysis as far left in the development cycle as possible, which is the modern pull request. Pull request, through platforms like GitHub, GitLab, are becoming the way for developing software, and every time a developer makes a change he is doing a pull request, and as we’re inserting code analysis at that very stage, we are giving the developer, whilst the entire context of the chain that he made is fresh in his mind, we’re telling him, ‘Here are the things that are wrong, here are the vulnerabilities that your change is causing. Please fix them’.
So while that is one part, we also are cognisant that security also has a very important role to play, they are the ones who have a company-wide view of what security is desirable, how much risk they’re willing to take, and perhaps what is happening in the macro environment in terms of threat landscape. So, security now for the first time can institute policies, define policies, to say any time a pull request creates more than for example three critical vulnerabilities, we need to fail the pull request. So, this allows security to provide automated feedback, again as soon as the pull request is done. When you compare this process with how legacy application security gets done, we find that our ShiftLeft way is about six times more efficient for customers.
That is really the future, we have to reduce the operational complexity around ApSec, because that is when both developers and application security teams are going to want to do it. Because if it remains as cumbersome as it is today, for most companies it will be an afterthought, it will be a check in the box.
RR: From your perspective you talk about execution, what do you see are some of the challenges that you’ve faced in the ShiftLeft journey so far?
MG: What we’re doing is hard, trying to understand a piece of software, because software is written in multiple languages, and each language is like English, and so its grammar is different, its syntax is different. So, that is one of the harder parts, is to continue to support additional programming languages, with the level of accuracy that we demand, because we don’t want to compromise on just saying, ‘Hey, we support this language’ but give crappy results to our developers, because that is a sure short way of making sure they don’t use the product. So, that has been the hardest part, and that in turn means hiring the brightest minds who can help address this problem.
I think the two go hand-in-hand, but that is the very nature of a startup, you believe passionately about solving a particular problem, and I like to believe the harder it is, the better it is, because it creates a protective mode around us, so that fewer companies out there can compete with the product solution that we’ve developed. So, today for example, our code analysis is 40 times faster than anyone else. We can scan about a quarter of a million lines of code in 28 seconds, on average. We are about three times more accurate than anyone else, and from a work flow perspective we are integrating this code analysis at the pull request, and saving the operational cost that I talked about. Those are very hard to achieve.
So yes, I’m very proud of the team, and having gotten here.
RR: You guys are based out of Colorado, is that right?
MG: No, we are based out of Santa Clara. Our Headquarters are in Santa Clara, but we have a very distributed team, we have an office in Berlin, and many, many people from around the globe.
RR: Wonderful, so you’re feeling very international.
MG: Yes, already!
RR: Well that’s good embracing the global opportunity, because code is being created everywhere.
MG: Yes indeed. Also I’d like to say that whilst Silicon Valley has been an important hotbed of innovation, we don’t have the monopoly on talent. There are smart engineers everywhere around the world, and through platforms like GitHub for the first time you can create a team that is as international as we are, and yet be able to create a cohesive team that are working together. Five years ago, this really wasn’t as feasible as it is today.
RR: So, that’s helping entrepreneurs like yourself to find the talent, and not necessarily have to pull them all into one location, which is amazing.
RR: What are you most proud of, over your journey so far with ShiftLeft?
MG: The thing that we’re most proud of is the customers that we’ve now got onboard, who are using the platform, and the benefits that they’re seeing. So, as an example, one of the world’s largest airlines came onboard as a customer last week, they have about 20 million lines of code, and they were able to onboard that into our platform in three days, that’s just unheard of. They were using another code analysis solution in the past, and we asked them how long it took them, the usual rule of thumb for that many lines of code, and that many applications is about three months. So, what historically got done in three months, we are now doing in three days.
RR: You’ve virtually got a time-machine for onboarding then!
MG: Yes, yes! Exactly. And I should say, there are at least 40-50 engineers out of that team who are already onboarded into ShiftLeft, they’re creating accounts on their own, they’re shifting their own applications, seeing the results, and so the very discussion that we were having earlier as to how do we insert code analysis into the developer workflow, that is becoming real.
Before you walked into the room there was a customer here, and this is often something that we hear, and in that particular customer’s case the ratio of developers to application security is 400 to 1. One application security for every 400 developers, and that’s the norm. We usually see anywhere between 80 developers to an application, one application security person in the most security-conscious organisations. Then it goes all the way to even 400-500 developers per application security.
RR: That’s a big beat.
MG: Exactly, and so regardless of how we think about this problem, regardless of how good a solution is, if we continue to ask that one application security person to manage, to monitor the work, the development work by 100 developers, it’s an impossible equation. So, we have to find a way to leverage the developers to do code analysis. If we stay with that vision, that goal, then some of the requirements of the product are obvious. It needs to be fast, it needs to be accurate, it needs to be a workflow that developers like to use, and will cause minimum friction for them.
RR: That’s always been the issue with security, is you can be really secure but you can’t actually get anything done.
MG: That’s right.
RR: Because it doesn’t allow you to actually operate in the way that you need to. So from your perspective, obviously this is one of your early accolades, I’m sure there’ll be many more to come, what would you say to others, what would be your view on getting involved with things like this?
MG: To your listeners who are trying to solve the application security challenge, I invite them to try out ShiftLeft. We became, I think, the first company that is now offering this as a self-serve, because again we appealing to developers, and developers usually don’t like to talk to marketing or sales folks. They’re very technical, they’re very hands-on, and so they just want to just try out the product on their own and see if it meets their needs. So, that is now possible, your listeners can go to ShiftLeft.io and just try it out on their own. So that’s the first step.
The second step is, those listeners in your audience who are less part of the organisation, but are developers who want to contribute to the improvement of security, we have various open source projects. We’ve taken the schema, the specification of our intellectual property, the code property graph, and we’ve open sourced, which allows anyone out there who wants to leverage this specification, to convert a programming language to this specification so that they can use our tool, which one of the versions is also open source, to analyse their own code. So, that is meaningful contribution that one could make to the community at large.
RR: I think that’s always a nice thing, I do see a lot of the startup community where they’ll be embracing both. So you’ll have an open source sort of initiative, and people will be very passionate about that, as well as obviously the commercial arm.
MG: Indeed, I think you have to create a balance between the two, yes.
RR: From your perspective as an entrepreneur, what kind of value do you see as being named as a Tech Trailblazer in the security space for the eight edition. We’ve been going for a while, you’ve got some wonderful predecessors, I was talking about ZeroFox and I spoke to Evan Blair yesterday, and other great names, Zscaler and other guys who have gone onto great things. So hopefully over the next couple of years maybe we’ll sit down again and you can talk to me more about the journey so far.
What’s next? Is there anything you can tell us about that’s coming down the pipe? You’ve undoubtedly been talking to the media over RSA, and may well have made some announcements.
MG: Yes, first of all it’s a great-great honour. We are very proud to receive the reward that we have. Like you said, the company that we are in makes us even prouder with companies like ZeroFox and Zscaler. I think the way that you select the winners which is through a polling mechanism, right…?
RR: As well as the judges, yeah.
MG: As do the judges, so that’s very important also for us. And in terms of what’s in the future for us, I think short-term we are very focused now that we’ve developed the platform, to get as many customers onboarded as possible. So, there is a lot of focus now on making the self-serve platform as easy for developers to use, because the key to the success of the strategy lies in developers just trying the product out on their own; providing us feedback when something is not good and can be improved, and using the product when they feel they are satisfied the product meets their needs. So, that’s one.
I think that the next big focus that we have is historically code analysis has been very focused on technical vulnerabilities, whilst they are important, increasingly the hackers are leveraging what are called business logic flaws in the application to exploit them.
RR: Okay, so finding a pathway in that way.
MG: Exactly. Again, I believe we are the only solution that can detect business logic flaws. So that is an area that we’re very focused on, is how do we create more and more use cases where customers can use a product to identify business logic faults. Because today the only way that gets done is either through pen testing at the 11th hour, or through manual code reviews, neither of which really scale. It’s not an either/or, one would probably still need to use pen testing, but more and more business logic flaws that we can identify and detect again at the pull request, the more efficient an organisation becomes, the less expensive security becomes, because as soon as the change has been made by a developer you are highlighting some of the things that could be wrong.
I’ll just give you a couple of examples, because business logic can be a very broad term. One good example is, as customers are rapidly moving into the cloud, developers perhaps sometimes make mistakes and hardcode credentials in the source code, or secrets in the source code. Secrets when leaked inappropriately can cause massive damage to an organisation. So how do we find those? How do we find backdoors in a source code? Some third-party developer, some disgruntled developer writes a backdoor, so then he can log in at a subsequent time in the future and just get root access. Finding those things is not possible with legacy code analysis solutions, and that is what we are also bringing to the table also.
RR: Well, you’ve got to beat them at their own game, right?
MG: Yes, exactly, and we will continue to move the security conversation forward. Some people in the industry discuss how we have DevOps as a culture, as a way of developing and deploying software, but security is being left behind. If we are going to get better at developing software secure, so that inherently we create more trust with our customers, we have to find a way to insert security into this highly-agile DevOps CI/CD, whatever you want to call it, pipeline. That’s what our vision is.
RR: And obviously this is a venture for you in the entrepreneurial world as well, slightly more corporate previously, you’ve gradually moved into the startup world; having done this for a period of time, and obviously making some really great progress, what’s your advice to others who are on this journey.
MG: First of all I’m humbled by the very question, but yes I would say for those of your listeners who are thinking about starting a company, following a passion. Some entrepreneurs approach me and say, ‘I’m wanting to start a company, but I don’t have an idea’, and I think that’s the wrong way of thinking about it. You have to become passionate about a problem that you want to solve, as opposed to how to solve it first. Because once you get passionate about a particular problem that you want to solve, and you spend enough time, you will find either a solution to the entire problem, or a solution to a part of a problem, and once you achieve that, everything else from that point onwards gets easier. You’re committed, you’re not in this for money alone, you’ve identified a problem that you’re very passionate about solving. That will hold you in good stead during both difficult and good times, because that is the very nature of a startup, it’s a seesaw.
RR: Well, rollercoaster I would say, buckle up, enjoy the ride.
RR: Fantastic, thank you so much. Wishing you continued success at the show, and thank you for spending time with and me telling me more about what you’re doing. Hopefully we’ll get to hear more about that over the coming years.
MG: Thank you so much, it’s great to meet you. Thank you for taking the time.
RR: You’re welcome.