2020

1 December

Highlights: Improvements to our Source Code View and the Jira Plugin, information regarding NG SAST’s findings type coverage, and an Ocular update

What’s New

Source Code View Filepath Modifications: NG SAST’s Source Code View allows you to view the source code location where it identified a vulnerability. We’ve added a flag that will enable you to customize the filepaths used by NG SAST. This helps those whose repositories utilize more than one folder structure (e.g., apps that include multiple nested modules).

Updated ShiftLeft Plugin for Jira: We’ve updated the ShiftLeft Plugin for Jira so that it now supports Jira’s next-gen projects in addition to the classic projects.

Finding Types Coverage: One of the questions we get most often is regarding the vulnerability types that NG SAST can identify. To that end, we have published a list of NG SAST’s finding types coverage. This list is a perpetual work-in-progress and subject to change as our security team identifies additional finding types.

Ocular: We’ve released a new version of Ocular that features performance enhancements.

Blog Posts + Podcasts

2 November

Highlights: Reports available via the ShiftLeft Dashboard, premium trials, and inside looks at how ShiftLeft works

What’s New

Reporting: We are pleased to announce the inclusion of reporting features in the ShiftLeft Dashboard for users with a premium trial or a team/enterprise subscription. You can now:

  • Show top-level statistics for one or more apps (e.g., total findings, number of secrets, insights, vulnerabilities, and the number of new, old, and fixed findings, as well as regressions)
  • Show trends charts depicting the growth or decline of findings in apps over time
  • Export PDF or HTML reports of your findings data based on your selected timeline (weekly, monthly, or quarterly)

Premium Trial: For NG SAST users currently on the Free Tier, we have launched a premium trial that allows you to access additional ShiftLeft features. For 15 days, you’ll be able to scan up to 10 apps (even concurrently) and get their results (including dataflow information). You can also access the ShiftLeft API, reporting features, and enterprise-level support.

Blog Posts + Podcasts

Learn from our VP, Products, Alok Shukla, how we reduced our product demo and onboarding timelines from weeks to under five minutes.

Chetan Conikee, our CTO, explains how we crane lifted Scala onto the Code Property Graph to conduct vulnerability analyses.

Preetam Jinka, our lead engineer, walks us through how we refactored and reimplemented almost all of our back-end and UI while maintaining a live SaaS environment.

30 September

Highlights: combining Java artifacts for analysis, reporting findings to GitHub, and NG SAST performance improvements

What’s New

  • Combining Multiple Java Artifacts for Analysis: When scanning your Java apps, NG SAST now allows you to combine two or more artifacts for code analysis using the --dep flag.

  • Reporting Findings in GitHub: You can now report findings from a specific NG SAST scan directly to the GitHub Pull Request (PR). This allows you to display all of your findings on the relevant PR for easy reference.

  • Performance Improvements: We’ve made a variety of performance improvements to NG SAST so you can expect the findings list to populate 30x faster and the trends chart to populate 12x faster. You can also expect general fixes and improvements to the ShiftLeft UI and API.

15 September

Highlights: Viewing trends across scans, integrating with AWS CodeBuild, admin docs, rearchitecture of Ocular's CPG Query Language, and winning the 2020 SINET 16 Innovator Award

What's New

  • Trends in Findings: We’ve added a new feature to our Dashboard that allows you to compare two scans and track your trends in findings. This feature allows you to get insights like the number of new findings in the later version of the scan, the number of findings common to both scans, the number of regressions (or the reintroduction of corrected issues), and the number of findings that have been corrected between these two scans. Read more about this on the blog.

  • We have launched a new tutorial on how to integrate NG SAST into AWS CodeBuild to enable automated code analysis for applications released via CodeBuild.

  • We have released new docs that include information helpful to administrators regarding user management and API access keys. We cover the differences between ShiftLeft admins and collaborators, as well as the basics of what you can do with various API access keys.

  • We're placed to announce Ocular release 0.4.1, which introduces a major rearchitecture of the CPG Query Language (CPGQL). This requires a simple migration on your part, and further details on the changes (many of which are under the hood) are available on our docs site.

Blogs & Podcasts

14 August

Highlights: Modifying finding severity, scan comparisons, DevSecOps, NoSQL injection, and a conversation with Vincent Weafer of Capital One

What's New

  • Modifying Finding Severity: You can modify the severity of findings after analysis using custom modification rules. These modification rules match findings and change the severity or CVSS score of the findings

  • Comparing Latest and Last Scans: We’ve made it easier for you to compare the results of the most recent scan against the results of the previous scan. This feature can be included in your build rules or can be used by including its flag with sl check-analysis

Changes and Improvements

Blogs and Podcasts

31 July

Highlights: new developer-central AppSec workflows; improved GitHub integration, and improvements to NG SAST and Ocular

What's New

  • We have completely overhauled our Dashboard to make it easier to integrate code analysis into your GitHub workflows:

    • You can try out the NextGen Static Analysis (NG SAST) workflow using one of our demo repositories (currently available in seven different languages/platforms, including the recently added Python and Terraform)

    • From the Dashboard, you can easily integrate NG SAST into your applications whose repositories are hosted by GitHub; with just a few clicks, you’ll have added code analysis to your development lifecycle

Changes and Improvements

  • When analyzing a Java application, ShiftLeft automatically checks to see if you have the required version of Java Developer Kit; if not, it will download the necessary bundle on your behalf

  • In the Dashboard, you can now make comments and track status changes for vulnerabilities; previously, this feature was only available for Secrets and Insights identified by NG SAST

  • We’ve implemented performance improvements so that the Dashboard is more performant, as well as many bug fixes to Ocular

Blogs and Podcasts

30 June

Highlights: Python and Terraform support, C# updates, and GitHub integration using GitHub Actions

What's New

  • Python and Terraform support for NG SAST: You can now analyze your Python applications and your Terraform projects/modules for vulnerabilities using NG SAST

Changes and Improvements

  • We’ve updated our support for C# to include version 8.0 and .NET Core 3.1. We’ve also made performance improvements so that you can, on average, expect speeds that are 1.5x faster and 75% less memory consumption (compared to our previous version) when analyzing C# apps

  • We’ve updated our GitHub tutorial to show you how to use GitHub Actions to integrate NG SAST into your Pull Request (PR) process

Blogs and Podcasts

  • Read our CTO Chetan Conikee’s five-part series on considerations regarding the static analysis of applications written in dynamic languages (notably JavaScript)

  • Listen to Julie Tsai’s, Head of Information Security at Roblox, thoughts on shifting left in cybersecurity and code analysis

29 May

Highlights: TypeScript support, improvements to the Dashboard, running Ocular queries as an overlay creator, and a new Docs site

Changes and Improvements

  • Both NG SAST and Ocular's JavaScript capabilities support apps written in TypeScript

  • Each secret and insight identified by NG SAST now displays comment and status change history

  • You can now run an Ocular query as an overlay creator via the run(<query>) API. For example, you can tag all methods starting with handleRequest* as MY_METHOD using run(cpg.method.name("handleRequest*").newTagNode("MY_METHOD")). This applies the tag to the selected methods as an overlay

  • You can now write build rules and use sl check-analysis to compare two versions of your code and see the differences in fixed and newly-introduced vulnerabilities

  • We've launched a new documentation site, which includes lots of new content related to Ocular

15 May

Highlights: Improvements to the Dashboard and Ocular + a conversation with Emirates

Changes and Improvements

  • The Dashboard now shows the counts of Secrets and Insights identified in the Apps List and the Version History

  • Ocular CPGs are no longer left in an inconsistent state on disk if you exit without saving the graph

  • Ocular users can now import a small snippet of code into Ocular and plot it using cpg.method.name("main").plotAst. The image viewer then opens to display a plot of the abstract syntax tree (AST)

  • You can configure Ocular's image viewer displaying your plots using config.tool.imageViewer

Recommended Blog Posts and Podcasts

A conversation with Toufiq Ali, Principal Cybersecurity Engineer at Emirates Group, on the need for integrating security into development pipelines

30 April

Highlights: JavaScript support, identification of Secrets and Insights, APIv4, extending the Ocular schema, plus improvements to Ocular

What's New

  • JavaScript support for NG SAST and Ocular: You can now analyze your JavaScript applications for vulnerabilities using NG SAST and Ocular (which also supports apps using ExpressJS)

  • Secrets and Insights: We've updated NG SAST so that it now identifies the presence of security-sensitive functions (or Insights) (JavaScript only) and hard-coded credentials (or Secrets) in your application

  • APIv4: We've released a new version of the API to return the results of individual scans for apps and to export identified insights and secrets

  • Extend the Ocular Schema: Use schema-extender, which ships by default with Ocular, to extend any of the default Code Property Graph schemas

Changes and Improvements

  • We've made the following changes to several key Ocular commands:

    • Deprecated createCpg() in favor of importCode()
    • Deprecated createCpgAndSp() in favor of importCode() followed by run.securityprofile
  • You can add overlays on a Code Property Graph (CPG) using run (which runs the Ocular analyzer on the active CPG) (e.g., run.<pass/script/tool>). To see the available list of passes, scripts, and tools, type run. followed by tab

  • The error messages and logs generated by Ocular are now cleaner and easier to read

  • For LLVM users running Ocular:

    • The new strict mode flag -strict-mode turns all warnings into errors, terminating the process
    • Ocular warns you if debug information or any recommended flags are missing when creating Code Property Graphs from LLVM bitcode
  • We've added mappings for the bcopy and memcpy C/C++ functions for use with policies

Recommended Blog Posts and Podcasts

15 April

Highlights: How to create Jira issues to manage and track vulnerabilities ShiftLeft identifies plus blog posts and podcasts related to ShiftLeft and application security

What's New

  • Jira Plugin for ShiftLeft: The Jira Plugin allows you to use the ShiftLeft Dashboard to create individual tasks in Jira to manage any vulnerabilities identified.

Recommended Blog Posts and Podcasts

March

Highlights: learn how to automate code analysis in your Jenkins build process, see improvements to the UI (including the new Source Code Views) as well as the Applications List performance

What's New

  • Jenkins Plugin for Ocular: This plugin allows you to automate code analysis during the build process using Ocular. With the plugin, you can set Jenkins to run Ocular as a final build step in a Pipeline project.

  • New Dashboard User Interface: The new ShiftLeft Dashboard features an improved user interface designed to make it easier for you to review application information and to find vulnerabilities of interest.

  • Source Code View: You can configure ShiftLeft's ability to automatically link identified vulnerabilities listed in the ShiftLeft Dashboard to the source code where the vulnerability can be found. This makes it easy for you to find the origins of a specific vulnerability.

    • New sl CLI Commands: The sl analyze command comes with two new flags for use with the new Source Code View features: --git-remote-name and --no-vcs-metadata.

Improvements

  • We've improved the Applications List performance; organizations with a large number of applications will see faster vulnerability counts and analysis progress.

January and February

Highlights: learn how to integrate ShiftLeft into your GitHub workflow, create custom build rules, see improvements to the Vulnerabilities API, and tell us your thoughts on where we should go with ShiftLeft

What's New

  • PR Workflow: Learn how you can integrate NG SAST directly into your Git workflow so that your code is analyzed whenever you create a new Pull Request

  • Build Rules: We've added support for custom build rules, allowing ShiftLeft to compare the results of its analyses against your build rules to determine if the build should fail or not. You can include your build rules in your app's repository so that you can create custom rules on a per-application basis and keep things updated with version control

  • The sl option: The sl command now comes with the check-analysis option. This allows you to manually trigger a comparison between ShiftLeft's analysis results and the build rules that you can now include with your app

  • Vulnerabilities API: We've updated the Vulnerabilities API and its Dashboard so that you can easily:

    • Filter for vulnerabilities based on the application's branch tag
    • See the application version where a vulnerability was first introduced
  • Ideas Portal: We've opened up the Ideas Portal, where you can request new features for ShiftLeft, see what features others have asked for, and vote on ideas that you like

Bug Fixes

  • We've fixed the Dashboard so that DataFlows information (specifically line numbers, file names, and method names) displays correctly

  • The Dashboard now displays an error if you exceed the 15-minute code analysis timeout for self-serve licenses