Application security is an important and growing area of cybersecurity. The famous Benjamin Franklin quote, “An ounce of prevention is worth a pound of cure,” is applicable. The better we do at prevention—ensuring that developers create secure code in the first place—the less companies will have to invest in the cure—all of the layers of security detection and response required to identify and resolve security issues in hardware and software that is actively in use. ShiftLeft is a company focused on improving and streamlining application security, and today they announced Adam Fletcher, CISO of Blackstone, and Stuart McClure, former founder and CEO of Cylance as new board members.
The company is aptly named. There is a focus throughout the DevOps and cybersecurity arenas to push cybersecurity efforts earlier in the development process—to shift left in the development cycle. Naming the company ShiftLeft makes it quickly apparent what the focus of the company is and, in a way, ensures that ShiftLeft is part of the conversation when the issue of improving application security comes up.
I spoke with Stuart McClure about his new role on the ShiftLeft board and his thoughts on the application security industry. Stuart and I go way, way back to my earliest days as a cybersecurity expert and writer. I started out my writing career as the Guide for the About.com Internet and Network Security site, and one of my first interviews was with Stuart McClure and the co-authors of Hacking Exposed.
At the time, McClure was still at Foundstone, which was acquired by McAfee in 2004. He left McAfee for a few years to manage cybersecurity at Kaiser Permanente, then eventually returned to become the CTO at McAfee before leaving to found Cylance. He managed to build Cylance into a respected global cybersecurity vendor, which was acquired by BlackBerry in 2019. Stuart stayed on with BlackBerry briefly before embarking on a new journey as a cybersecurity entrepreneur and consultant—helping to guide other cybersecurity vendors to success.
I have stayed in touch with Stuart throughout those many transitions, and we have worked together in various capacities over the years. Now he plans to use his experience and insight to help elevate ShiftLeft.
Disrupting the Application Security Market
“After building the first company dedicated to using Artificial Intelligence to fight against advanced threats, it’s clear that organizations need to focus on stopping vulnerabilities in code before they ever make it out into the real world,” said Stuart McClure in a quote from a ShiftLeft press release announcing the new board members. “CEO Manish Gupta and the entire ShiftLeft team are taking a novel approach to solving this problem while bridging the gap between security teams and developers – without impacting release schedules. I’m excited to join the board and provide guidance on how to scale and grow ShiftLeft into a global company.”
Stuart told me that he first met Manish while they worked alongside each other at McAfee. He was impressed with Manish, and his seamless blend of ability to speak tech, but also to let the customer speak and to listen as opposed to just telling them what they need. When he was approached about joining the board, Stuart jumped at the opportunity to Manish and ShiftLeft get to the next level.
According to Stuart, most of our problems in cybersecurity relate to poor programming or poor design in some way. He explained that if people could just figure out how to code securely, you can solve the problem—or at least reduce it significantly.
The challenge is to ensure code review and the process of identifying and resolving security flaws is a seamless part of the development process. He noted that few coders are really all that tech savvy, and that for many organizations application security is still something that is sort of bolted on after the fact. He thinks ShiftLeft can change that.
We talked about the fact that perfect code is an unattainable goal and not something to strive for, practically speaking. He described the balance of application security and endpoint security like a belt and suspenders. Each one does the job to some degree and can be used separately, but you get the best results when you combine them. The problem is that many organizations focus only on the endpoint protection side of the equation and add layer after layer of security, but it is all reactionary and doesn’t even attempt to address the root of the problem. Addressing the application security aspect can greatly improve the endpoint security side and reduce the costs associated with defending against exploits and responding to threats.
The Future of ShiftLeft
Gupta proclaims in the ShiftLeft press release, “2021 is shaping up to be a significant year for ShiftLeft and one filled with significant potential for our team to continue developing solutions that will support common challenges often plaguing today’s developer community. We remain committed to creating innovative solutions to support the common challenges of security and productivity often troubling today’s developers. As such, we are pleased to welcome Stuart and Adam, two seasoned experts to our Board of Directors for their strategic guidance and support.”