How Tide transitioned to developer-first security with Semgrep

semgrep

10 Nov 202325:40

Summary

TLDRDeani, a senior product security engineer at Tide, discusses her role in integrating security into the software development lifecycle. She emphasizes the importance of a secure SDLC model, empowering developers to 'shift left' and prioritize security from the design phase. Tide focuses on reducing false positives and enabling custom rule creation, which has led to a 100% fix rate for vulnerabilities. Deani also highlights the success of Tide's Security Champions program, which educates and involves developers in creating and managing security rules, fostering a proactive security culture.

Takeaways

😀 Davani is a product security professional with extensive experience in safeguarding web and mobile applications.
🏢 Tide is a leading provider of digital business banking services, offering mobile-first solutions for small and medium-sized businesses.
🔐 Davani's role at Tide focuses on implementing a secure SDLC model, emphasizing a 'shift left' approach to integrate security early in the development process.
🤝 Tide's security team adopts a collaborative approach, aiming to empower developers with security knowledge and tools rather than a punitive model.
🛠️ Tide's security strategy includes the use of various security tools and methodologies, with a specialization in OAS (Open Application Security).
🔍 Tide's team is particularly interested in reducing false positives in security scanning and empowering developers to own and manage security rules.
🛡️ Tide has implemented custom rules with a 100% fix rate, significantly reducing the burden on developers by eliminating false positives.
🤖 The introduction of AI capabilities in security tools like Semgrep has been welcomed by Tide's team for its ability to provide real-time, context-specific advice.
🔑 Tide is keen on integrating new features such as IDE integrations and secret scanning to further enhance security practices and reduce false positives.
🌟 Tide's Security Champions program plays a crucial role in fostering a security-aware culture among developers and promoting the adoption of security best practices.

Q & A

What is Deani's role at Tide?
-Deani is the Senior Product Security Engineer at Tide, focusing on providing a secure Software Development Life Cycle (SDLC) model, empowering developers with security knowledge, and ensuring security is integrated at every step of the development process.
What does Tide provide as a company?
-Tide is a leading provider for digital business banking, offering mobile-first business accounts to small and medium-sized businesses. They provide instant account opening and a range of financial services.
How does Tide align security with its business goals?
-Tide's security team focuses on enabling the 'shift left' principle, integrating security from the design phase through development, and ensuring security is embedded at every step to reduce risks and increase resilience.
Why was reducing false positives a significant concern for Tide?
-Tide aimed to prevent high and critical issues from reaching production. They sought tools that would minimize false positives to avoid blocking developers' work, ensuring a smoother and more efficient development process.
What was the major advantage Tide found with Semgrep's reachability analysis?
-Semgrep's reachability analysis was a major selling point for Tide as it significantly reduced false positives by ensuring that only vulnerabilities in the code that are actually reachable are flagged, thus improving the accuracy of security assessments.
How does Tide involve its engineers in creating custom security rules?
-Tide has a security Champions program where they involve engineers in creating custom rules. They provide education and tools, encouraging developers to take an active role in identifying and addressing security concerns within their code.
What is the significance of Tide's 100% fix rate for custom rules?
-Tide achieved a 100% fix rate for custom rules, indicating that all identified vulnerabilities by these rules were addressed by developers, demonstrating the effectiveness of their security practices and the engagement of their engineering team.
How does Tide plan to scale the creation and management of custom rules?
-Tide plans to scale custom rule creation by continuing to educate and empower their developers through the security Champions program, providing them with the tools and knowledge to manage security rules within their projects.
What are Tide's thoughts on the new AI capabilities in Semgrep?
-Deani expresses enthusiasm for Semgrep's AI capabilities, as it offers real-time assistance and remediation advice, which can help developers understand and resolve security issues more efficiently.
How does Tide view the integration of Semgrep with IDEs?
-Tide sees the integration of Semgrep with IDEs as a valuable 'shift left' approach, allowing developers to address security issues right from the coding phase, which can further streamline the development process.
What is Tide's stance on the recent feature of secret scanning in Semgrep?
-Tide recognizes the importance of secret scanning to prevent the disclosure of sensitive information. They appreciate Semgrep's approach to reducing false positives by focusing on active secrets, which helps developers focus on relevant security issues.