How Tide transitioned to developer-first security with Semgrep

00:01

[Music]

00:06

good morning good afternoon everybody

00:08

thank you for joining us we are very

00:11

lucky to have um uh with us davani from

00:17

tide so deani is a product security

00:20

professional she's been the industry for

00:22

many years hands on experience with

00:25

safeguarding web and mobile applications

00:28

um she studied cyber security as part of

00:31

her

00:32

education uh specializing in

00:34

implementation of robust security

00:36

Frameworks and in her current role at

00:39

tide tide financials which is one of the

00:42

leading uh finex she's been instrumental

00:47

in pushing out security uh into their

00:51

software development life cycle reducing

00:53

the risks um and in general increasing

00:57

the overall resilience um and and she's

01:00

also proficient with a lot of tools from

01:02

a security perspective and methodologies

01:05

with a specialization in OAS so please

01:09

join me in welcoming her with a big

01:11

round of applause you could use the zoom

01:13

reactions if you want or you could do it

01:17

uh yes as well so thank you for uh that

01:21

um uh welcome deani uh thank you for

01:24

your time um just a quick note from a

01:28

from a housekeeping perspective so I

01:31

have a few questions we're going to

01:32

start off with but if you guys have any

01:34

questions which are top of mine feel

01:36

free to put them in the zoom chat feel

01:38

free to put them in the in the slack

01:41

Channel and I'll make sure we kind of

01:43

ask ask those as we go through this

01:45

session as well uh but again thank you

01:47

deani for joining us this morning um

01:50

kind of standard question you know uh

01:52

can you tell us the audience a little

01:55

bit about what tide does um and and and

01:58

your role at tide uh just to get us

02:01

started sure so hi everybody my name is

02:04

deani uh I am the senior product

02:06

security engineer at tide TI is

02:08

basically a leading provider for digital

02:11

business banking uh we are a mobile

02:13

first company where uh we provide

02:16

business accounts to small and

02:17

mediumsized businesses and uh instantly

02:21

like people can open their account and

02:23

you know get a lot of financial services

02:24

in buildt so we are a global company we

02:28

have uh our mark in UK India and we are

02:31

rolling out uh slowly in the new markets

02:34

as well uh apart from that uh my role at

02:38

TI basically whatever is security is my

02:41

role at TI uh we majorly focus on

02:44

providing like secure sdlc model at tide

02:48

making sure that we Empower our

02:50

developers to you know uh shift left and

02:54

making sure that they understand

02:56

security and try to make their decision

02:59

you know more and more secure so

03:01

basically it's more of engineering

03:03

empowerment rather than us you know

03:05

enabling it and making sure that our

03:07

developers understand security they can

03:09

you know constantly reach out to us

03:11

regarding anything and take the security

03:13

decisions on their

03:15

end love that and you know kind of that

03:18

just that whole model and mindset of

03:20

collaboration as opposed to

03:22

confrontation of more carrots and less

03:25

sticks love that and what I have seen

03:27

working with customers is the more you

03:30

take that methodology of collaboration

03:33

the more successful it would be and just

03:35

kind of at a high level you know um I

03:37

always like asking this question we work

03:39

with lots of different customers Fortune

03:41

500s fex

03:44

retail uh from a tide perspective you

03:47

know your team from a security side what

03:50

is the m h how does your team uh align

03:54

or what are the main goals of your team

03:58

in making making tide as is a business

04:01

successful so our team mostly works on

04:04

making things secure basically we want

04:07

to enable this particular principle like

04:10

shift left from the designing phase to

04:13

the development phase to making sure by

04:15

the end of it we are secure in each and

04:17

every step so as I mentioned regarding

04:19

stlc model we will make sure that each

04:20

and every step will have a security in

04:22

place enabling like having different

04:25

sort of risk assessments making sure we

04:27

have the tools embedded like Dash sea

04:30

Dash tools included in the built

04:33

pipelines uh making it aware to our

04:35

Engineers so that they can start using

04:37

those

04:38

tools is teaching them regarding you

04:41

know educating them basically regarding

04:43

all these tools and making sure that

04:45

they understand it they fix the issues

04:48

before it land UPS in production so we

04:50

are more our major principle is

04:52

empowering the engineers with uh

04:55

thinking that we want to shift left

04:58

brilliant no absolutely it's a great

05:00

model of around hey how can we find

05:02

things quicker earlier shift left

05:06

uh now changing a little bit of gars so

05:09

just for context for the audience I

05:11

think tide became a sreb customer around

05:14

10 months back or so beginning of the

05:16

year um I want I would love for you to

05:20

kind of

05:21

share uh a little bit about you know

05:25

when 10 months back when we started

05:26

talking you know what kind of products

05:29

were you looking for uh what were kind

05:31

of some of the key things that you

05:33

wanted in that uh in those products what

05:35

were kind of some of the and we we'll

05:38

unpack that's a loaded question so let's

05:39

get started with you know where you were

05:41

you know what kind of products were you

05:42

looking at

05:43

Etc so as at the back of our mind we'll

05:47

always have this shift lift approach we

05:50

will make sure that each and every

05:52

particular you know process will have a

05:55

security tool embedded and the major

05:57

part when it comes to development of you

06:00

know any of the projects uh we will

06:02

always look into SCA SAS tools now uh

06:05

being like a security driven company as

06:08

well we always make sure that our

06:10

pipelines and you know our whole

06:13

infrastructure is secure uh with the

06:15

code base being like the major uh place

06:19

where it we want to make it more and

06:20

more secure every day so then we looked

06:23

into srep we were also like looking into

06:26

different kind of tools and making sure

06:28

that there are a lot of like uh

06:30

competition regarding SC and SAS tools

06:33

so what we were thinking of like when we

06:37

ever choose a tool we not only choose

06:39

like whether it can give you the best

06:42

approach or not but we also choose it in

06:44

a manner whether our Engineers will be

06:47

able to use it whether it will be

06:49

interesting and you know it will be more

06:51

readable to the engineers whether they

06:53

are able to you know grasp it and just

06:55

make a quick you know fixes uh in uh

06:58

when they are developing the whole thing

07:00

so when it came to sreb the major

07:02

advantages and I think we will get into

07:05

more of it but the major advantages

07:08

which we found out was that it is more

07:10

easier for our developers to get into

07:12

sem grip uh more easier for them to

07:15

focus on the major parts which they need

07:17

to focus on rather than the ones which

07:18

they don't need to focus on and make a

07:21

secure

07:22

product brilliant now absolutely love

07:26

that and I I think it's it's really

07:27

interesting the one one thing that I

07:29

remember even during our engagement back

07:31

then and now

07:33

is security teams are or absc teams are

07:36

maybe 50% of the consumer at maximum

07:39

maybe even lesser so you're actually

07:42

making the decision on behalf of your

07:45

developers uh and keeping that mindset

07:47

and saying hey I'm not just looking for

07:49

something which is easy for me but what

07:51

would make it easy is brilliant so uh

07:53

let's dive deeper into it and I know um

07:56

one of the the the areas that you were

07:59

really interested in was around reducing

08:02

false positives and being able to kind

08:04

of own the rules and being that was a

08:07

gap that you had with some of the

08:09

previous experiences um that tide had

08:12

with vendors and do you want to talk a

08:13

little bit about you know why was that

08:16

an important uh talk a little bit about

08:19

our custom rule capabilities and how how

08:21

tide is using it so uh I'll break it

08:25

down into two different aspects

08:27

basically first is the sca part so uh

08:30

for us uh the major thing is that we

08:32

always want like all the high and

08:35

critical issues not to wind up in

08:37

production so we will make sure that you

08:39

know we are blocking some of the

08:41

pipelines at a point where we see any

08:43

highend critical issues now when we were

08:45

analyzing different tools we were making

08:47

sure that you know what sort of tool our

08:50

Engineers can use which will not give

08:52

them false positive to you know block

08:54

their work because if we start to you

08:57

know use a tool which can block them in

08:59

certain scenarios it becomes very hard

09:01

to you know say that Engineers can use

09:04

that tool and it's easier them for them

09:06

to use it but when we were looking into

09:08

Sam grab the I I think in our previous

09:11

conversations also the major part which

09:13

we wanted was uh making it less and less

09:15

false positive so when you guys come up

09:18

with the feature of reachability

09:19

analysis it was the major selling point

09:22

for us because at that point like we

09:24

reduced I think 80% of the false

09:27

positive capabilities so that was the

09:30

major selling point for us just because

09:32

now we can you know just go to the

09:34

engineer saying that you are not getting

09:36

any false positives it's all which is in

09:38

the code it's reachable in the code you

09:40

only have to deal with the things which

09:42

are in your code rather than you know

09:44

something which is going to uh some

09:47

third party some open source where they

09:49

don't have any control over so that was

09:51

one of the major things for the sea part

09:54

now coming to the SAS part like there

09:56

are a lot of SAS Solutions out there it

09:58

can can be open source it can be other

10:00

things as well but again like we are as

10:04

I mentioned we are more driving towards

10:07

us easily you know uh getting to know

10:10

the tool but it is more for our

10:11

Engineers because they are the people

10:14

who are more you know into that code we

10:17

don't know the code we only know the o o

10:19

overall scenario of what is going on

10:22

okay this is happening this particular

10:24

service is doing this thing but they are

10:26

the daily users of those code and when

10:30

it comes to custom rules it becomes

10:32

easier for us because with the custom

10:34

rules I think we created a lot of our

10:37

own custom rules with the help of

10:38

Engineers with the help of you know them

10:40

taking a stand and creating their custom

10:43

rules and I think whatever we have

10:46

created it has given us a 100% positive

10:48

result like making sure that we have

10:51

like authentication in places in many of

10:53

the services we making sure that you

10:55

know there are there is no bypassing of

10:58

some of the

10:59

levels and everything so those custom

11:02

rules came into the picture at that time

11:04

when you know we we wanted to make sure

11:06

that all our Engineers are understanding

11:09

and uh they are actually creating the

11:11

rules so always making sure that you

11:14

know by the end of this we will not be

11:16

the one who will be creating the rules

11:18

they are the one and for that we have

11:19

like different like we have a security

11:22

Champions program where we you know tell

11:24

them they get the first sight of

11:26

everything basically in our company so

11:28

whatever we are doing they are the

11:30

people who are the first uh like looker

11:32

of whatever the new tool is coming in

11:34

whatever the new features are coming in

11:36

and we will tell them why it is good and

11:39

start to you know explain them and they

11:41

making it uh more and more better for us

11:45

so it is always like these two things

11:48

when it came for Sam grab we were

11:50

choosing Sam grab and these two things

11:52

came into the picture and that was the

11:54

major thing why we choose SRE also

11:57

that's an amazing amazing answer the

11:59

thing I liked about this deani also for

12:01

our audience here is which is very

12:02

technical is it's kind of did in that

12:04

technical thing but lots to unpack there

12:07

so I'm going to maybe start off on the

12:10

uh supply chain side so for the people

12:12

in the audience who are not familiar

12:14

with reachability analysis that's

12:15

something we're going to cover in the

12:17

work virtual in the Hands-On lab but

12:19

essentially what we do there is we will

12:22

actually check if that specific third

12:24

party um or or third party package that

12:28

you're using

12:29

is being used as part of your source

12:31

code

12:35

not and we yeah um so that's on the

12:40

reachability analysis side and that's

12:41

where I think deani said uh 80%

12:44

reduction in false positive that's

12:45

that's actually really really amazing um

12:49

uh the other side that we talked about

12:51

so let's unpack a little bit on the um

12:54

on the security Champions and the custom

12:58

rule writing site deani so um I think

13:02

most of the audience here should be

13:03

familiar with uh the fact that with Sam

13:06

um our rules are very transparent you

13:08

can actually see what's happening but

13:11

what was really interesting for me two

13:13

things that stood out one was a 100% fix

13:16

rate so what that means is if diani or

13:20

if samre shows a uh a vulnerability to a

13:24

developer for these custom rules 100% of

13:27

those get fixed which means

13:29

0% false positives and I think that's an

13:32

amazing one but you know and and can you

13:34

talk a little bit about this security

13:36

Champions program how are you guys

13:39

getting your teams to write this any

13:42

tips and tricks for the teams here cuz I

13:44

think um all of us especially are trying

13:47

to collaborate with our engineers and

13:49

anything that you guys did which really

13:51

helped them grasp of course writing

13:53

rules is easy for us but anything that

13:54

you guys did there that really made that

13:57

successful and getting them to write

13:58

would be I think really useful for the

14:00

team to uh for the audience to listen

14:03

sure so uh mostly at tight what we

14:06

majorly do as a proect team is we we

14:09

will always perform threat modeling

14:10

sessions and the threat modeling

14:12

sessions will always cover the

14:14

developers even the security Champions

14:16

we have given a lot of sessions to them

14:18

as well and when you provide them with

14:21

these insights they will always have

14:23

this thing in mind can I automate

14:25

something can I automate you know making

14:28

sure that these security uh features uh

14:31

you know are enabled and don't end up in

14:34

a bad state so when we started to do

14:37

this and we started to communicate with

14:39

each and every one of them uh we like

14:42

the whole team actually performed a very

14:44

well job in communicating these things

14:46

to you know every owner of every product

14:50

and uh with that this automation thing

14:52

came comes into the picture so uh they

14:55

were more interested in knowing that how

14:57

can we include it in our pipelines and

14:59

how can we you know make our own rules

15:02

uh either it is you know in Java either

15:04

it is in Python either it is in

15:05

terraform or any other language which

15:07

they want to use to make sure that you

15:09

know these uh don't end up because

15:12

sometimes like after the whole process

15:14

when the product is buil they will get a

15:16

vulnerability for on that their name

15:18

saying that oh you have have not done

15:21

this thing or with the security

15:23

Champions people saying that okay why we

15:25

do have this vulnerability can't we you

15:26

know just get rid of it so so when these

15:29

things comes they started to you know

15:32

contact us they started to understand

15:34

like how these custom rules can be

15:36

created and started to build these

15:38

things with us it's not like all the

15:41

engineers are doing it on their own but

15:42

started to build these rules with us

15:44

having a conversation having a

15:46

discussion with us and then ending up in

15:49

a manner that now we are at a state that

15:53

those custom rules which we have created

15:55

have a fixed rate of 100% so people

15:58

people have started to you know grasp

16:00

that knowledge even with the threat

16:01

modeling session we will always tell

16:03

them that you know if you want to

16:04

automate this you can just use Sam GP on

16:07

this one we can let you know how the

16:09

custom rules are created we can do all

16:11

these things so those kind of

16:13

conversations when you put it in their

16:15

mind that something can be automated

16:16

something can be you know made better

16:19

they will always choose that over

16:21

getting you know a vulnerability issue

16:23

on their

16:24

name no absolutely I I love that and

16:27

it's again a couple of key things here

16:29

um I know in the industry there's

16:31

there's a lot of talk now about secure

16:34

defaults so hey how can we just check

16:36

for automate the checks for these secure

16:38

defaults and that's what you guys have

16:40

actually implemented in practice at

16:43

scale across all of Tide so it's it's

16:45

really really brilliant um and the

16:47

second thing is right if you enable your

16:49

developers you know they want to do the

16:51

right thing nobody wants to see

16:52

vulnerable code and uh that's kind of

16:54

the adoption um now I can also hear lots

16:58

of uh teams here saying oh you know I'm

17:00

one absc guy or we have a ratio one is

17:03

to 50 for absc two devs and custom rules

17:07

am I just creating lots of workload for

17:09

myself have I would I be the one who's

17:11

kind of writing these rules how have you

17:14

looked at scaling that out and I know

17:16

there'll be a little bit more work for

17:17

you but have you guys gotten to a point

17:19

where you're getting to a self-service

17:21

through the security Champions can you

17:22

talk a little bit about that just so

17:23

that you know the people can see how

17:25

it's been scaled um across your

17:27

organization um yeah yeah so mostly what

17:31

we do on these instances is when it

17:33

comes to like creating their custom

17:35

rules uh Engineers want to do things

17:38

themselves if we try to you know add

17:41

some things in their pipelines without

17:43

even letting them know it will create a

17:45

little bit of discomfort because it's

17:48

their repo it's their particular you

17:50

know personal project so they love the

17:52

code they are writing so what we do is

17:55

we we have provided them with the samre

17:58

UI we have told them whatever you guys

18:00

want to do you can do in that whatever

18:02

you are trying to achieve with

18:04

automation you can do that with the like

18:07

because I think at TI we are like one to

18:09

70 Engineers as in one app engineer or

18:12

proad engineer for 70 engineers and uh

18:15

we have a security Champion program

18:17

which is like good established we try to

18:19

tell them regarding okay this is good

18:21

and with those people we try to cover

18:24

more and more and more audience so that

18:27

people can understand why it is

18:28

important and it will be their job to

18:31

you know make this automation make sure

18:34

that they are you know uh like tuning it

18:37

down tuning the rules tuning it like in

18:40

a way that they want to do rather than

18:41

us doing it because if we start to do it

18:43

we will do it in a manner that it will

18:45

start to block stuff but they want to

18:47

monitor stuff they want to see like how

18:48

it is working out first and then start

18:51

to you know block the thing so it

18:54

creates like a environment Plus at tide

18:57

we always believe in like security

18:58

education we will always want them to

19:01

educate regarding okay what is s so we

19:03

will have a full communication to the

19:06

whole business regarding okay this is

19:07

the new thing which we are coming up

19:09

with if you have any questions just let

19:11

us know there will be good pages

19:12

regarding you know how this can be done

19:15

how you can automate stuff with your own

19:17

thing how you can create these rules so

19:19

many people reach out to us individually

19:21

asking us like what is this what it is

19:24

about uh with the new features also if

19:26

they see any new features in Sam CP or

19:29

any other tool they will always reach

19:30

out to us saying that how can I enable

19:32

it in our

19:34

system that's brilliant that's brilliant

19:36

I love that I love the concept of hey

19:38

this is not my absc tool you're

19:40

democratizing it for your developers

19:42

because finally in order for tide to get

19:45

benefit from it the developers need to

19:46

use it and I love the collaboration the

19:48

way you kind of you know disseminating

19:50

the knowledge there um talking of new

19:53

features there's a couple of new

19:55

interesting things that semrep has

19:57

launched over the last six months so one

20:00

of them was the AI capabilities which we

20:04

call samre assistant the other one is

20:06

we' introduced lots of different ID

20:08

Integrations for vs code um jetbrains

20:12

products like intellig py Cham

20:14

Etc um where is tied in that Journey are

20:18

you guys and you know maybe personally

20:20

yourself how you're using it as well as

20:22

the adoption with with with some of the

20:25

some of the teams as well yeah so uh uh

20:28

I feel like that grip is fast growing to

20:31

be honest with all these features and uh

20:34

specifically with AI we are very keen to

20:36

get AI integrated it's just that we need

20:38

to you know pass some processes at TI to

20:41

get it integrated but personally because

20:44

I do have a personal you know my it up

20:46

my zreb account as well where I do the

20:49

scans and I love the fact that how AI

20:51

works because it's just like

20:54

communicating getting the answers on the

20:56

go rather than you know us

21:02

sorry about that worri uh rather than

21:05

you know when somebody's raising a PR

21:08

they'll just get like a SRE board saying

21:10

that oh you have done this mistake or

21:11

you have you know got a vulnerable

21:14

function here but people don't

21:16

understand even though like you guys

21:18

give a good description people sometimes

21:20

don't understand like why it is

21:22

vulnerable what will happen with that so

21:25

with the AI enabled assistance you can

21:27

actually you know communicates with

21:29

somebody rather than Googling it

21:31

separately oh how this can work you know

21:33

going through a lot of pages you can

21:35

just talk to AI saying how it can be

21:37

vulnerable uh how can I protect it

21:39

what's the remediation about it and

21:41

people just get the answer on the go

21:43

rather than you know working sitting

21:45

back okay I'll you know Google searches

21:47

maybe next time just because I am in a

21:49

hurry to launch this to production right

21:51

now right so those kind of things I

21:54

guess and I love the feature because it

21:56

gives me good remediation answers on on

21:58

the go and I can again change my code at

22:01

that point raise another PR and that's

22:03

gone so those are major factors which I

22:06

like about it the other thing is uh with

22:09

the new approaches like ID as I

22:12

mentioned our developers are very keen

22:14

to know about new things so I think one

22:17

of the developers at I like reached out

22:19

to me saying that okay srip is an ID how

22:22

should I use it how can I use it so now

22:25

we are like trying to get it embedded in

22:27

the idees asking everybody to how you

22:29

can embed it uh because there are a lot

22:31

of ID so it will again shift left from

22:34

the beginning itself even not in GitHub

22:36

or git lab or bit bucket even in the

22:39

beginning when they are actually

22:40

developing the code they can just get

22:41

these things done right so those are

22:44

kind of things like where Sam grip is

22:46

like winning a lot of Hearts of

22:48

everybody okay and plus uh the third

22:51

thing which came out very recently

22:53

secret scanning and I think uh that is

22:56

something which we need to look at in

22:58

into the future because uh we have seen

23:00

a lot of Secrets being disclosed in

23:03

different different even in open source

23:04

projects there are a lot of Secrets

23:06

which can be disclosed right so uh srep

23:09

is like giving out those things uh

23:12

specifically uh the way like there also

23:15

the major thing is reduction of false

23:17

positive because srep came to this

23:20

approach by making sure that secrets are

23:22

not disclosed in a manner that no they

23:25

are deactivated why because this check

23:28

whether those are active Secrets or not

23:30

so that is the major thing which I think

23:32

srep is winning over any other Tool uh

23:35

right now because that will give

23:38

everyone a time to only work on the

23:41

things which they care about if it is

23:43

deactivated they might not care about it

23:45

they'll just say that it's deactivated

23:47

it's like one year ago something came up

23:49

and now we have rotated everything why

23:51

it is showing us there so it's more and

23:54

more of that Progressive approach where

23:57

you guys are making sure sure that you

23:58

know less false positive less making uh

24:01

Engineers Drive crazy regarding oh I

24:03

don't need to fix this thing I just want

24:05

to make sure that you know I'm fixing

24:07

the things which are important to me so

24:09

I think those are the kind of things

24:11

that srep is winning over and in future

24:13

I am very keen to get these

24:16

integrated brilliant love that love that

24:20

um always very exciting for me to hear

24:24

when a developer comes to appsc and says

24:26

give me more security ity and that kind

24:29

of talks to the the capabilities of the

24:32

product around you know reducing those

24:34

false positives reducing the friction

24:36

enabling those developers and the

24:38

approach deani you and your team uh at

24:40

tide have taken in in that uh

24:44

collaboration um just checking are there

24:47

any questions Raj uh on the chat or

24:51

anything else we might have time for

24:52

maybe one or two questions before we let

24:54

deani go I think we're kind of running a

24:56

little bit behind but uh uh if not we'll

24:59

maybe uh no I don't see any

25:03

questions brilliant no thank you so much

25:05

deani really appreciate your time uh

25:08

please give deani a big round of

25:09

applause uh for joining us um today and

25:13

uh yeah uh you're happy to stay with us

25:17

for the rest of the session if you want

25:19

uh but I'm I think you you'd be able to

25:21

deliver the session then go through it

25:23

so uh but thank you again I really

25:26

appreciate it thanks a lot for inviting

25:29

but yeah thank you so much I have other

25:31

meetings to do so yeah I'll jump off now

25:33

but thank you so much for

25:36

[Music]

25:38

inviting