Shifting Left Is Now Mainstream for Developers, or Is It? – The New Stack

The process of shifting left during software development to improve the overall quality and security of systems has been touted for some time, and while it has caught on with many development shops, has it become mainstream?

Shifting left is the process of implementing software and system testing earlier in the development lifecycle — moving this to the left on a project timeline — to check for issues that might lead to vulnerabilities, defects or other problems down the road.

It’s much easier to shift left these days than it’s probably ever been, as several vendors — such as Snyk, GitHub and others — offer solutions that help to bake things like code scanning into the development process. And the advent of AI is helping to make these processes even easier for users.

“Shift left has absolutely become mainstream for developers,” Randall Degges, Snyk’s Head of Developer Relations and Community, told The New Stack. “Developers, DevOps, even engineering managers and non-product employees are assuming more of a security responsibility for a number of reasons.”

These include powerful yet simple-to-use tools that make catching and fixing security issues early possible, most of which didn’t exist just seven years ago.

Moreover, there is more pressure than ever in the tech sector on efficiency. Companies are trying to get more done with fewer resources, and this impacts every part of the business, especially security, which is being distributed across the organization.

“There’s more widespread security knowledge than ever before,” Degges said. “Fifteen years ago developers didn’t often read a continuous stream of data breach and vulnerability stories while today they’re far more mainstream. Security consciousness is now a core part of engineering, and everyone from junior developers to CTOs is cognizant of security impacts.”

David Vance, an analyst at Enterprise Strategy Group, agreed with this.

“Anecdotally, I think there’s more awareness of a shift left security movement by developers than there ever has been before,” he said. “If you’re a developer today and not aware of secure coding practices, security tools and techniques, you’ve been living under a rock. Has it become mainstream? I’d say so at this point, especially with source and binary code repositories embedding security in by default.”

The Long Arm of GitHub – AI to the Rescue

GitHub, with its enormous reach, has perhaps the best chance to influence a shift to the left by developers. Last month, GitHub introduced a new feature called code scanning autofix, which is available in public beta for all GitHub Advanced Security (GHAS) customers. This is where AI comes into the picture, as this feature is powered by GitHub Copilot and CodeQL, and it aims to help developers reduce the time and effort spent on remediating vulnerabilities in their code.

It leverages the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Code scanning autofix covers more than 90% of alert types in JavaScript, TypeScript, Java, and Python. GitHub plans to add support for more languages, with C# and Go being the next in line.

Code scanning can be used with first- or third-party alerting tools, including open source and private tools. GitHub provides a first-party alerting tool powered by CodeQL, our semantic code analysis engine, which allows querying of a codebase as though it were data,” wrote Tiferet Gazit, a Staff Machine Learning Engineer at GitHub and AI lead for GitHub Advanced Security, in a blog post. “Our in-house security experts have developed a rich set of queries to detect security vulnerabilities across a host of popular languages and frameworks. Building on top of this detection capability, code scanning autofix takes security a step further, by suggesting AI-generated fixes for alerts.”

Matt Johansen, a prominent security consultant and author at Vulnerable U, called code scanning autofix a step in a powerful direction. “We’ve long talked about shifting left as an industry and that used to mean trying to find vulnerabilities earlier in the development lifecycle,” he said. “But as we’ve matured as an industry what it actually has shown us is shifting left meaning improving the developer experience to include security as default where possible. Not just shifting where you play vulnerability whack-a-mole.”

Code scanning autofix can remediate more than two-thirds of found vulnerabilities with little or no editing. The feature provides a natural language explanation of the suggested fix and a preview of the code suggestion that developers can accept, edit, or dismiss.

The introduction of code scanning autofix aims to help development teams reduce time spent on remediation and lower the volume of everyday vulnerabilities, allowing security teams to focus on business-level priorities, wrote Pierre Tempel, a staff product manager at GitHub, and Eric Tooley, product marketing lead for GitHub Advanced Security, in a blog post. GitHub has published extensive resources and documentation about the system architecture, data flow, and AI policies governing code scanning autofix.

“Microsoft (currently the largest overall security vendor by revenue) has steadily been moving into the application security space after their acquisition of GitHub,” David Vance, an analyst at Enterprise Strategy Group, told The New Stack.

GitHub acquired static analysis vendor Semmle in 2019 and since then Microsoft has continued to release new AppSec security capabilities with the intent of reducing friction between developers and security teams by attempting to make application development more secure and less complex to adopt.

“With GitHub Advanced Security, Microsoft/GitHub is taking direct aim at multi-product AppSec vendors such as Synopsys, Veracode, Checkmarx, Contrast and others by incorporating security capabilities into the development ecosystem — meeting developers where they are — in GitHub code repositories, in developers’ IDEs, and in the cloud (Azure DevOps),” Vance said.

In short, Vance argues that GitHub has taken the lead in baking in security early in the software development lifecycle and enabling developers en masse to shift left.

“GitHub is better positioned than anyone to bake security into the default developer experience,” Johansen noted. “All of the best AppSec vendors of the last five years can’t get away without having a GitHub integration for this reason.”

The fact of the matter is that most of the incumbent AppSec vendors have been slow to address serious pain points that customers have today with their products — from expensive complex implementations to painfully slow code scans to massive scan results that are difficult to sift through, Vance noted.

“Code scanning autofix is a form of linting to catch vulnerabilities in source code as developers are coding within a developer’s development environment before security scanning and functional testing — thus why Microsoft is claiming faster security code fix rates,” Vance said.

Essentially, it reduces the need to rely on static and dynamic tools to catch security issues after developers have committed code. And the further left in the development process, the earlier security issues can be caught — thus they will be faster and cheaper to address.

Code scanning autofix currently supports eight compiled and interpreted programming languages including C/C++, C#, Java/Kotlin, JavaScript, Python and more.

From a security standpoint, the GitHub product helps developers produce higher-quality code. However, “neither GitHub Advanced Security nor code scanning autofix address code quality issues such as buffer overflows in C/C++ code that traditional static analysis tools, such as Coverity, can catch,” Vance said. “Regardless, I believe both GitHub Advanced Security and code scanning autofix are easier paths for application security versus bolting on additional application security toolsets.”

Meanwhile, Johansen opines on the evolution of the shift left.

General purpose Static Application Security Testing (SAST) scanning has been around forever and is fraught with false positives and false negatives that have made it difficult for all but the most well-funded security teams to make use of, he noted.

Then, “Modern players like CodeQL and Semgrep provide powerful engines for security engineers to find vulnerabilities in code but still struggle with legacy SAST issues,” Johansen said. “With an AI enhancement from GitHub Copilot we could see the usefulness of these tools increase for even teams that generally fall below the security poverty line.”

Yet, “The danger here is that a lot of AI can hallucinate and produce vulnerable code as much as it can find vulnerabilities to fix,” he told The New Stack. “This will continue to get better as LLMs train on better sources and get more accurate and advanced.”

Vulnerability Management

Brinqa, a provider of proactive cybersecurity solutions, this week (April 3) announced new capabilities for its platform to modernize vulnerability management.

Historically, cybersecurity has been more reactive, oriented around a Security Operations Center (SOC) for responding to attacks. However, the majority of breaches stem from the exploitation of known, unpatched vulnerabilities, highlighting the need to proactively address the known security findings across their attack surface by understanding which ones pose the most risk to the business.

Brinqa’s new features aim to accelerate the implementation of a Risk Operations Center (ROC), a new approach to vulnerability management that enables organizations to proactively reduce threat exposures across cloud, infrastructure, and application security programs. The Brinqa Platform’s Cyber Risk Graph unifies security findings with business and threat data, allowing organizations to consistently prioritize, remediate, and report on risk.

While not exactly a tool for shift-left testing of its own, “Together with Brinqa, customers have modernized their vulnerability management programs,” said Amad Fida, CEO of Brinqa, in a statement. “We want future customers to mature their vulnerability management function as fast as possible, and our new capabilities will help them catch up to today’s best practices.”

Software Composition Analysis

Meanwhile, GitGuardian, a provider of automated secrets detection and remediation, recently released its Software Composition Analysis (SCA) module. The SCA module aims to enhance organizations’ security posture by automating vulnerability detection, prioritization, and remediation in software dependencies throughout the entire software development lifecycle.

GitGuardian extends SCA capabilities to its command-line tool (CLI) tool ggshield, supporting shift-left practices and reducing organizations’ attack surface. The company’s product suite integrates various security tools, addressing the gap between frequent code releases and continuous code auditing.

GitGuardian SCA offers automated context-based vulnerability prioritization and actionable remediation guidance, specifically designed for fast-paced DevSecOps environments, the company said.

The module enables security engineers to identify applications with unsafe dependencies, prioritize incidents by severity and prompt developers to fix them.

“If one of your buried dependencies becomes vulnerable, the blast radius could be gigantic,” said Eric Fourrier, CEO of GitGuardian, in a statement. “With an average of more than 500 direct and transitive dependencies per code project, it’s crucial to have a proactive strategy. You should shift left and consider implementing monitoring of your entire software supply chain. GitGuardian SCA offers automated context-based vulnerability prioritization and actionable remediation guidance. Without efficient tooling, your team will waste valuable time on minor issues while critical incidents remain unaddressed.”

New programming languages GitGuardian supports include PHP and Rust. But the company is not stopping there. “Next on the roadmap is detecting malicious dependency to prevent dependency confusion and typosquatting. That’s what happened when the Python package ‘ctx‘ was hijacked to steal AWS keys. And we’re working on more dimensions to prioritize remediation, for instance, the likelihood of vulnerabilities being exploited,” Fourrier added.

Steady Mobbin’ with Hybrid AI

Earlier this year, Mobb released an automatic vulnerability fixer for code repositories that embeds security into developers’ workflows. Mobb’s automatic vulnerability fixer allows developers to proactively secure their code as they commit changes within their native software development workflows and tools.

“Mobb.ai’s solution integrates with static analysis tools and GitHub to automatically fix vulnerabilities in the code, generating a pull request with the fix for developers,” Eitan Worcel, CEO and founder of Mobb, told The New Stack.

He said the company uses a hybrid AI approach, combining deterministic algorithms with AI to generate accurate and reliable code fixes, rather than relying solely on AI.

Mobb’s technology combines proprietary research and traditional semantic analysis with GenAI capabilities, ensuring accurate and trusted code fixes without code ownership concerns.

Mobb.ai currently supports Java, Node.js, and .NET, with plans to expand to more languages. They also integrate with four leading security scanners: Checkmarx, Snyk, Veracode, and GitHub CodeQL.

Worcel said Mobb.ai differentiates itself from competitors like GitHub and other startups by being scanner-agnostic and using a hybrid AI approach for more accurate fixes.

The fixer provides precise and actionable code fixes for security alerts and fits into development workflows on platforms like GitHub, GitLab, Azure DevOps, or Jenkins. And by embedding automatic fixes directly into development workflows, Mobb helps organizations prevent vulnerabilities from accumulating in the security backlog.

Mobb.ai’s goal is to become a platform that fixes security vulnerabilities across various technologies, such as Docker and Infrastructure as Code, within a year, Worcel told The New Stack.

Moreover, he anticipates greater competition from the likes of GitHub and other startups but believes Mobb.ai has a strong position due to its early entry and partnerships with security vendors.

It’s obvious that Worcel and his team have watched a lot of organized crime films. The company name is associated with “the mob” and the product, the fixer, is named after what the mob calls a hitman. “Remember Winston ‘The Wolf’ Wolfe in Pulp Fiction? He was a fixer — somebody you bring in to do the messy jobs,” Worcel said. “That’s what our fixer does.”

Meanwhile, Bugsy is a CLI tool that provides automatic security vulnerability remediation for your code. It is the community edition version of Mobb. Worcel named the tool after famed mobster Bugsy Siegel.

Darryl K. Taft covers DevOps, software development tools and developer-related issues from his office in the Baltimore area. He has more than 25 years of experience in the business and is always looking for the next scoop. He has worked…

Read more from Darryl K. Taft