ShiftLeft recently broke the record for the highest score ever recorded on OWASP’s Benchmark for Security Automation. ShiftLeft scored a whopping 75%, which is nearly 3X the previous commercial vendor average of 26%. Furthermore, ShiftLeft is also the only vendor to identify 100% of the vulnerabilities.
This webinar will cover how ShiftLeft’s Code Property Graph (CPG) is a fundamentally different, how it enabled us to break the benchmark record and what it means for modernizing application security in DevOps and cloud environments.
The CPG is based on semantic graphing, which creates a single multi-layered graph that summarizes code on various levels of abstraction. Practically speaking, this means the CPG has the context to understand what the application fundamentally is, and is not, supposed to do. Thus, deviations become clearly identifiable as vulnerabilities.
In particular, this is critical for identifying complex vulnerabilities that are dependent on a series of conditions across various components that make up the application. For example, a 3rd party SDK may be vulnerable to a deserialization attack when used in conjunction with a certain version of a library that can be found in either programming language or framework. Only by understanding how the components interact with each other can these sophisticated vulnerabilities be easily identified.
Furthermore, the CPG is able to understand abstract information layers instead of merely low level data flows. Instead of just knowing that code prints data, the CPG also knows sources, transforms, sinks and protocols. Hence, identifying a database sending unfiltered data to http becomes much easier to flag as a reflected cross-site scripting vulnerability.
This webinar will cover: