The Challenge: automating a slow OSS security review process
Salesforce is a global software company that has developed the world’s leading customer relationship management (CRM) platform. The platform allows companies to unite their marketing, sales, commerce, services, and IT data to create a 360-degree view of their customers. Salesforce also builds enterprise applications for marketing automation, analytics, application development, and more.
As an innovative software company, Salesforce believes in giving back to the community in the form of open source software (OSS). Whenever an employee or team wants to open source their work, however, they need to submit an OSS request that goes through reviews for security, legal, and many other requirements. With around twenty OSS requests each month, this manual process for reviewing static analysis reports and remediating the findings was creating a bottleneck for releasing their OSS.
“As you know, manual reviews are time-consuming,” stated Amol Deshpande, Product Security Engineer at Salesforce. “Security engineers have multiple responsibilities, and it becomes really difficult to perform numerous reviews each month, especially if the requests are time-constrained. We thought we could automate this process to potentially save some time for the engineers.”
The Solution: Implementing plug-n-play security scanning
When looking to streamline their OSS security review process, Salesforce decided to create a plug-and-play security framework that leverages Snyk to perform security scanning and automatically gather the results. Each review request creates a ticket within their internal task tracking platform, which gets picked up by a webhook and added to a queue in RabbitMQ.
Snyk, with its robust API, can then pull from this queue, scan the attached code repositories for vulnerabilities, and submit reports of the findings back to the original ticket. The scanning results are available for engineers directly within the tickets without the need for them to work with any security scanning tools themselves. That means security engineers can immediately review the findings reports to approve requests or remediate any issues in a matter of minutes.
“Whenever an engineer comes in, they already have the vulnerability reports attached to the ticket,” explained Deshpande. “So they can look at the report and approve the request or work with the engineering teams to fix the findings. This saves a lot of time for the engineers because they don’t have to spend time running the scans or understanding how to use the security tools.”
Snyk Open Source Security Scanning
When open sourcing software, security scanning is essential to reduce risk to the organization itself. That’s because malicious actors can review the publicly available code to stage attacks on proprietary applications that rely on the OSS. Widely used OSS like Apache Struts, Tomcat, and OpenSSL have already been compromised, and the number of OSS vulnerabilities continues to grow. Salesforce didn’t want to risk its own reputation or open itself up as a target by releasing OSS containing vulnerabilities.
“Open source software is one of the most prominent attack vectors because when a vulnerability is found in an OSS component, all the applications and software using the component are also at risk,” explained Deshpande. “In fact, OSS vulnerabilities have doubled in 2019 compared to the previous year, so the threat is always increasing.”
Snyk’s Open Source Security Management solution helps organizations manage this security risk by detecting vulnerabilities in both open source code they’re incorporating and in code they plan to open source to the community. Snyk provides actionable guidance to remediate any security issues discovered. Snyk also helps developers save time when fixing issues by prioritizing them by severity and potential impact. Salesforce can now use Snyk’s scanning results to not only reduce its internal exposure to security threats, but ensure the general public can confidently use its OSS components as well.
“I’m an advocate for automation and shifting left,” Deshpande said, “and I think Snyk is one of the most important tools to scale the security effort across an organization. In the future, we hope to expand our implementation with auto-approving requests when reports have no findings and by scaling our new scanning framework, powered by Snyk, across the organization to unify our security methodology going forward.”
The Impact: Saving hundreds of hours of manual effort
With its new Snyk-powered security scanning framework, Salesforce’s product security team no longer needs to manually review OSS requests. In the past, each request could take hours to complete, but Snyk scanning results are now automatically published to any review request tickets. Security engineers, therefore, can now refocus nearly 150 hours of their time towards other high-impact security projects. That means Salesforce can release its OSS software much faster than before without compromising on security.
“In the past, each request could take hours to complete, but Snyk scanning results are now automatically published to any review request tickets.”
