{"id":816,"date":"2024-01-23T07:27:00","date_gmt":"2024-01-23T07:27:00","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2024\/01\/23\/the-power-of-ai-strengthening-application-security-by-eliminating-secrets-in-code\/"},"modified":"2024-01-23T07:27:00","modified_gmt":"2024-01-23T07:27:00","slug":"the-power-of-ai-strengthening-application-security-by-eliminating-secrets-in-code","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2024\/01\/23\/the-power-of-ai-strengthening-application-security-by-eliminating-secrets-in-code\/","title":{"rendered":"The Power of AI: Strengthening Application Security by Eliminating Secrets in Code"},"content":{"rendered":"

By Krishna Pandey and Scott Nyberg.<\/em><\/p>\n

In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. Meet Krishna Pandey, Director of Security Engineering at Salesforce. Based in Bangalore, India, his Application Security Technology (AST) team powers Salesforce\u2019s source code security program, charged with using AI to detect and eliminate various types of secrets in code.<\/p>\n

Read on to learn how Krishna and his team overcome challenging obstacles to provide application and service owners with comprehensive visibility and timely remediation through context-specific, high-quality, and actionable application security findings.<\/p>\n

What are secrets in code and how does AST address them?<\/h4>\n

Secrets in code are sensitive information that is embedded directly within source code.<\/p>\n

AST provides a comprehensive AI-powered Credential Scanning Service (CSS) that integrates seamlessly with development workflows and prioritizes developer experience. This enables AST to detect and prevent secrets from entering into source code, enhance triage processes, and streamline the detection and remediation of secrets in code.<\/p>\n

Krishna shares what keeps him at Salesforce.<\/em><\/p>\n

What are examples of secrets in code and what are potential consequences if secrets are unaddressed?<\/h4>\n

Some examples of secrets that CSS can detect include AWS secret keys, GitHub tokens, customer API keys, and database passwords. If these secrets are unaddressed, they can lead to severe consequences such as exposing sensitive data, compromising proprietary source code, or allowing unauthorized access to customer information.<\/p>\n

For instance, AWS secret keys can provide access to the entire AWS account and its resources, potentially exposing a large amount of data. Stolen GitHub tokens may expose a company\u2019s proprietary source code, which is crucial for maintaining a competitive advantage. Customer API keys, if leaked, could grant hackers access to customer data, while database passwords could expose sensitive information like personally identifiable data or personal health information.<\/p>\n

What are the top challenges your team has faced in eliminating secrets in code?<\/h4>\n
\n

AST encountered two main challenges for eliminating secrets in code:<\/p>\n

Attribution<\/strong>: With ~120,000 repositories that were created over long periods of time, combined with issues of deactivated users and users switching teams or projects, attributing ownership of code repositories was challenging. In response, AST collaborated with other engineering teams to programmatically update ownership information and establish policies for inactive or archived repositories.<\/p>\n

Different SCM types<\/strong>: Onboarding different types of source code management (SCM) systems hosted on different networks with varying levels of trust presented a hurdle. Consequently, AST went through multiple security assessments to expand coverage across different business units, which helped resolve the issue in a secure way.<\/p>\n<\/div>\n

Krishna describes Salesforce Engineering\u2019s unique culture.<\/em><\/p>\n

Please walk us through the steps for using AI to detect and remediate secrets in code.<\/h4>\n

AST provides a seamless and efficient workflow for detecting, triaging, and remediating secrets in code, enhancing the security of its applications and services.<\/p>\n

The entire workflow is automated, removing the need for manual intervention, while empowering AST to seamlessly scale its secret detection and remediation efforts.<\/p>\n

As a developer attempts to check their source code, AST\u2019s CSS \u2014 which is integrated into the development pipeline \u2014 automatically scans the code to detect any potential secrets. The service internally uses repositories or org-specific triage information, ensuring that only valid and relevant secrets are flagged for further action.<\/p>\n

\n

If secrets are found, CSS creates a security bug ticket, applying a severity-based SLA policy to ensure timely remediation. Remediation includes:<\/p>\n

Triaging the secret<\/strong>. Developers log into a developer portal for triage to see detected findings from various security tools, find the secret\u2019s coordinates, and assess its validity.<\/p>\n

Rotating the secret<\/strong>. Developers rotate the exposed secret, changing the password or key to ensure it cannot be leveraged by malicious actors.<\/p>\n

Storing the secret securely<\/strong>. Developers store the secret within Salesforce\u2019s approved secrets management solution to prevent further exposure.<\/p>\n<\/div>\n

Can you provide insights into AST\u2019s overall progress in eliminating secrets in code?<\/h4>\n

Our team has made significant progress in eliminating secrets in code through a phased rollout approach.<\/p>\n

AST began by introducing blocking and bugging for high-severity secrets in batches for selected organizations and SCMs. This allowed the team to gradually increase coverage while maintaining a controlled signal-to-noise ratio through pre-triage processes. By ignoring test files, documentation, known patterns, and third-party open-source code, the team ensured that only relevant secrets were flagged. This approach enabled them to detect and remediate potential critical risk in the form of credentials across Salesforce by working closely with a fellow internal team to determine the appropriate severity levels for different secret types and implement remediation strategies.<\/p>\n

To ensure a consistent developer experience, AST later implemented features such as de-duplication of results produced by multiple tools. Additionally, the team collaborated with the Security UI team to develop a highly scalable platform and APIs, supporting a large number of concurrent developers.<\/p>\n

Most recently, AST improved scan time and availability of its secret scanning service, ensuring that integrated and dependent systems can meet their high availability goals.<\/p>\n

\n

Learn more<\/h4>\n

Read this blog<\/a> to learn how India\u2019s Global Computer Security Incident Response Team uses cutting-edge automation tools for alert response and malicious threat containment.<\/p>\n

Stay connected \u2014 join our Talent Community<\/a>!<\/p>\n

Check out our Technology and Product<\/a> teams to learn how you can get involved.<\/p>\n

Discover the latest best practices for cybersecurity. Check out the Salesforce Security Blog<\/a>.<\/p>\n<\/div>\n

The post The Power of AI: Strengthening Application Security by Eliminating Secrets in Code<\/a> appeared first on Salesforce Engineering Blog<\/a>.<\/p>\n

Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"

By Krishna Pandey and Scott Nyberg. In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. Meet Krishna Pandey, Director of Security Engineering at Salesforce. Based in Bangalore, India, his Application Security Technology (AST) team powers Salesforce\u2019s source code security program, charged with using AI to detect and… Continue reading The Power of AI: Strengthening Application Security by Eliminating Secrets in Code<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-816","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":840,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/20\/aiops-engineering-secrets-revealed-how-ai-and-automation-slash-thousands-of-manual-hours-annually\/","url_meta":{"origin":816,"position":0},"title":"AIOps Engineering Secrets Revealed: How AI and Automation Slash Thousands of Manual Hours Annually","date":"March 20, 2024","format":false,"excerpt":"In our \u201cEngineering Energizers\u201d Q&A series, we explore the remarkable journeys of engineering leaders who have made significant contributions in their respective fields. Today, we meet Sravanthi Konduru, a Lead Member of the Technical Staff for Salesforce Engineering, who helps drive the development of the Warden AIOps platform. Explore how\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":722,"url":"https:\/\/fde.cat\/index.php\/2023\/06\/06\/9-software-engineering-productivity-secrets-to-ignite-innovation-every-day\/","url_meta":{"origin":816,"position":1},"title":"9 Software Engineering Productivity Secrets to Ignite Innovation Every Day","date":"June 6, 2023","format":false,"excerpt":"During the COVID-19 pandemic, Salesforce and many other software companies asked its employees to work from home to help safeguard their safety and their families. The Salesforce Industries team \u2014 innovators of industry-specific digital solutions for global companies across verticals \u2014 remained highly productive, developing and delivering a cutting-edge emergency\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":590,"url":"https:\/\/fde.cat\/index.php\/2022\/06\/02\/meet-the-team-of-problem-solvers-pushing-boundaries-to-see-how-massively-we-can-scale\/","url_meta":{"origin":816,"position":2},"title":"Meet the team of problem solvers pushing boundaries to see how massively we can scale.","date":"June 2, 2022","format":false,"excerpt":"Welcome to the new hub for all things Salesforce Engineering! This site is where you can get a behind-the-scenes look at how we build business-critical software at scale, take a peek at how we contribute to the open source community, meet some of our technical employees, and learn more about\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":712,"url":"https:\/\/fde.cat\/index.php\/2023\/05\/09\/automation-engineering-secrets-revealed-slashing-customer-processing-time-from-hours-to-seconds\/","url_meta":{"origin":816,"position":3},"title":"Automation Engineering Secrets Revealed: Slashing Customer Processing Time from Hours to Seconds","date":"May 9, 2023","format":false,"excerpt":"In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional life experiences that have shaped Salesforce Engineering leaders. In this special edition, we meet Pratima Shukla, a software engineering manager based in Bangalore, India. In her role, Pratima leads Salesforce India\u2019s Industries Cloud Public Sector Solution (PSS) team, where she\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":828,"url":"https:\/\/fde.cat\/index.php\/2024\/02\/20\/unlocking-hyperforce-migration-innovative-solutions-for-a-smooth-transition-to-the-cloud\/","url_meta":{"origin":816,"position":4},"title":"Unlocking Hyperforce Migration: Innovative Solutions for a Smooth Transition to the Cloud","date":"February 20, 2024","format":false,"excerpt":"In our \u201cEngineering Energizers\u201d Q&A series, we delve into the experiences and expertise of Salesforce Engineering leaders. Today, we\u2019re meeting Mahamadou Sylla, a Senior Member of the Technical Staff at Salesforce Engineering. Mahamadou is a key member of our Hyperforce\u2019s Bill of Materials (BOM) team, which assists internal teams in\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":901,"url":"https:\/\/fde.cat\/index.php\/2024\/07\/25\/how-salesforces-new-speech-to-text-service-uses-openai-whisper-models-for-real-time-transcriptions\/","url_meta":{"origin":816,"position":5},"title":"How Salesforce\u2019s New Speech-to-Text Service Uses OpenAI Whisper Models for Real-Time Transcriptions","date":"July 25, 2024","format":false,"excerpt":"In our Engineering Energizers Q&A series, we explore the paths of engineering leaders who have attained significant accomplishments in their respective fields. Today, we spotlight Dima Statz, Director of Software Engineering at Salesforce, who leads the development of Salesforce\u2019s new Speech-to-Text (STT) service. STT leverages advanced speech recognition technology to\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=816"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/816\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}