This week, I encountered several fascinating application security use cases that showcase how forward-thinking teams are tackling complex challenges. Here’s a breakdown of three standout examples, including how they align with Symbiotic Security’s mission to shift security left by integrating real-time developer training and remediation.
Reddit's application security team has built a self-hosted code security platform to scan and secure their internal repositories. It’s triggered during code pushes and conducts regular scans. It’s interesting because the majority of security guardrails are today being put in the CI pipelines, but Reddit takes a different approach, citing challenges like timeout issues during pre-commit checks.
Why it stands out:
• The architecture is scalable, using workers and queues, then installing a GitHub app on every repository, which launches a specific security scanner based on the repository.
• It currently supports OSS modules and secrets detection, but they have a roadmap to expand into SAST, license verification, and policy enforcement.
This is a powerful and scalable detection platform. Like Symbiotic’s IDE plugin, this system effectively decentralizes security into the development flow, emphasizing detection and prevention without disrupting velocity. I am very curious to see what their plans are to tackle issues like remediation at scale and proactively limiting security mistakes in production.
You can read the full Reddit article here
Chime’s Monocle app educates developers on their code’s security posture by assigning nightly security grades and offering clear improvement steps. They’ve gamified the process by giving developers GitHub badges reflecting their security scores, encouraging them to take pride in their security practices.
Why It Stands Out:
• Daily, actionable feedback for developers.
• Gamified incentives that turn security into a source of pride.
We at Symbiotic have also gamified security for developers, integrating a points-based system for those who complete just-in-time, CTF style training after vulnerability detection. In true game fashion, however, they can lose points if they get something wrong or need a hint - a point I’m interested to know if Roku explored with their app.
Looking forward, we’re conceptualizing a security posture score per project, with set objectives that increase your score over time. The security posture score is a great concept because it measures two key points:
This combination of training and reward fosters a culture of proactive learning and accountability, ensuring developers gain security expertise while resolving issues.
You can read the full Chime article here
In a very insightful BSides conference in San Francisco recently, Lily Chau and Lakshmanan Murthy of Roku’s security team showcased WhizBangLambdaFix, their Lambda-based auto-remediation framework. This system addresses cloud infrastructure vulnerabilities as they arise, eliminating manual remediation steps.
Why it stands out:
Their philosophy mirrors Symbiotic’s in empowering developers to address issues before they even become a problem, with they key difference being while Roku leverages Lambda, Symbiotic puts an emphasis on shifting (very) left by educating the developer directly in their IDE as they code.
That being said, there is one approach to infrastructure-as-code security that is fundamentally the same as WhizBangLambdaFix in its vision: providing the developer with pre-secured infrastructure-as-code templates, and then performing auto-remediation.
At the end of the conference, Lily transparently presents two challenges with their approach:
Symbiotic’s approach is to leverage AI to generate the remediation, but having it in the IDE ensures that developers remain in control, validating and refining the solutions to guarantee accuracy and functionality.
You can watch the full talk from Roku here
Many forward thinking teams are looking to address a similar challenge when it comes to security not impacting productivity. These articles are such a great source of insights, especially for an early-stage startup. We really enjoy seeing the different approaches and the different challenges they address. Thanks very much to the authors for sharing their insights.
