The standard safety mannequin is commonly reactive—reviewing functions after they’re constructed. Whereas efficient at catching points, it typically slows engineering and struggles to maintain up with the tempo of innovation. Safe-by-default certification is a safety assurance framework that shifts safety earlier within the lifecycle.As a substitute of auditing particular person functions after the actual fact, this program proactively pre-certifies foundational, reusable engineering templates and modules. This basic shift eliminates total courses of safety defects earlier than a developer even writes a line of code—dramatically lowering friction between safety and engineering.
At Salesforce, this shift to secure-by-default certification is a vital and rising a part of how we’re evolving our safety growth practices, with adoption increasing over time throughout frequent engineering foundations. Over the previous three years, implementing secure-by-default certification at scale has prevented practically 300,000 safety defects launched by generally used infrastructure templates, helped groups keep away from over 690,000 safety dangers, and saved an estimated two million developer hours by eliminating the necessity for repeated, handbook safety rework. Whereas Salesforce continues to broaden its use of secure-by-default certification, these outcomes mirror the compounding affect of making use of this precept into shared infrastructure.
This text shares sensible classes, challenges, and key takeaways from constructing and implementing secure-by-default certification at scale. The intent is to share actionable steering for safety professionals to maneuver safety choices earlier into design and implementation, scale back avoidable defects, and make safety simpler to undertake as a part of on a regular basis engineering workflows.
The Evergreen Safety Problem: Integrating Safety With out Slowing Improvement
In as we speak’s fast-moving software program growth environments, organizations are below fixed strain to ship options rapidly—typically on the expense of safety. Regardless of elevated funding in safety instruments and consciousness applications, many vulnerabilities are nonetheless recognized late within the software program growth lifecycle (SDLC). This delay not solely will increase the price and complexity of remediation but additionally exposes techniques to potential dangers within the interim.
To handle these challenges, organizations have invested in shifting safety left—bringing safety checks earlier within the growth lifecycle. This contains introducing automated code scanning throughout growth (i.e., as code is written within the IDE) and in CI/CD pipelines throughout construct and deploy phases. These scans can problem warnings or block builds when misconfigurations or insecure patterns are detected. Some groups consult with the extra assertive types of these checks—those who actively forestall deployments or implement remediation—as safety guardrails.
Whereas IDE linters and safety plugins supply early warnings, their non-blocking nature typically results in builders addressing safety considerations solely when enforced later within the CI/CD pipeline by safety guardrails. This late-stage intervention causes friction and delays because of the want for reactive fixes or architectural modifications. Consequently, builders should revisit seemingly accomplished code. As is well-known, the later a defect is caught within the SDLC, the dearer and disruptive it’s to repair.
Moreover, code or useful resource scanning—whereas efficient—has limitations. Their detection logic is certain by the capabilities of the scanning instruments and the scope of guidelines outlined. They typically miss points tied to enterprise logic, contextual choices, or architecture-level dangers. On this setting, “shifting left” nonetheless doesn’t at all times imply “shifting early sufficient.”
Most coding defects are discovered after the coding section, which will increase the price to repair.
Safe-by-default Templates: Much less Rework for Builders, Extra Confidence for Safety
The core problem lies in integrating safety with out compromising growth velocity. To handle this, the secure-by-default certification focuses on proactive integration of safety into reusable code templates—an more and more frequent growth apply in giant organizations. These reusable code parts, typically owned by Developer Productiveness groups, function foundational constructing blocks—from Infrastructure-as-Code (IaC) modules to full-stack utility frameworks. As a result of they’re extensively adopted throughout groups, they current a strong alternative for safety groups to scale their affect.
The secure-by-default certification course of embeds not simply baseline safety controls, but additionally company-specific insurance policies and proactive safety enhancements—far past what code scanning instruments or CI/CD guardrails sometimes implement. For instance, whereas guardrails may detect that secrets and techniques want rotation, a secure-by-default licensed template can automate that rotation totally. Equally, the place scanning instruments might flag the necessity for log storage, a secure-by-default licensed template can go additional by configuring automated log forwarding to the corporate SIEM. These built-in safeguards scale back the operational burden on builders, resulting in sooner launch cycles whereas strengthening safety by default.
By certifying these reusable templates, safety shifts left into the design section, lowering the variety of defects launched throughout coding. Builders profit from safe foundations with out having to decipher or manually combine complicated safety necessities. In return, safety reviewers spend much less time chasing gaps in implementations—particularly once they know the muse is already licensed. Some organizations might even undertake fast-track evaluations for functions constructed on secure-by-default licensed parts.
Reusable templates and safety reference architectures (SRAs) complement one another: SRAs supply safe high-level design patterns, whereas templates carry them to life by pre-hardened, production-ready code. Used collectively, they allow scalable, secure-by-default growth throughout the group.
And importantly, measuring affect turns into easy—simply observe template adoption to see how typically your licensed, safe constructing blocks are getting used throughout the corporate.
Safe-by-default Certification: 5-Step Framework
STEP 1: Uncover Developer Productiveness Templates
Step one within the secure-by-default certification course of is figuring out reusable code templates managed by developer productiveness groups. These groups typically preserve centralized repositories of shared infrastructure and utility templates to cut back duplication and enhance engineering effectivity.
Throughout this course of, you could discover—as we did at Salesforce—that templates for sure use circumstances don’t but exist. It may be tempting for safety groups to step in and construct them, however listed below are two vital concerns from our expertise. First, sustaining production-grade code templates requires vital engineering effort. Given the restricted variety of safety professionals with software program growth experience, our focus ought to be on scaling safety practices—not proudly owning engineering deliverables. Second, choices about creating reusable templates ought to align with broader firm technique. A template that promotes a non-strategic expertise alternative can create long-term friction, even when it solves a safety downside. Most often, Engineering—not Safety—is finest geared up to make such architectural choices.
STEP 2: Assess Safe-by-default Necessities
As soon as reusable templates are recognized, the subsequent section is to carry out a complete safety evaluation. Safe-by-default necessities ought to mix each business finest practices and company-specific safety insurance policies. Importantly, these necessities should tackle not solely necessary controls but additionally beneficial safety enhancements that elevate the baseline.
Not like customary guardrails, which generally implement minimal compliance, secure-by-default configurations goal for a better bar. For instance, a secure-by-default licensed template may require automated secret rotation quite than leaving it as a handbook developer job. Or it might mandate forwarding cloud logs to a centralized SIEM as a substitute of counting on native log storage.
As a result of safe templates evolve over time, secure-by-default assessments ought to be performed on a recurring foundation. To scale effectively and keep away from useful resource bottlenecks, it’s important to automate these evaluations early—utilizing instruments like customized OPA insurance policies or different automated validation frameworks.
STEP 3: Remediate Safety Findings
Remediating recognized safety necessities is essentially the most time-intensive a part of the secure-by-default certification course of. All code modifications have to be completely examined earlier than being merged into the template repository—in any case, these updates will finally run in manufacturing. Certification is simply full as soon as all safety necessities have been applied and verified.
As you’re employed by these modifications, take into account tagging the code to trace which manufacturing sources are utilizing licensed secure-by-default templates. At Salesforce, this tagging has been essential for sustaining the secure-by-default certification program and served as probably the most impactful metrics we shared with management.
Though remediation may be difficult, it’s additionally a chance. Collaborating with engineering groups on these fixes builds belief and strengthens the connection between Safety and Improvement—positioning Safety as an enabler, not a blocker.
STEP 4: Map Safety Controls to Firm Requirements
Whereas in a roundabout way a part of coding secure-by-default templates, mapping secure-by-default necessities to firm safety requirements offers long-term worth. At Salesforce, we generate secure-by-default metadata in each licensed code repository—JSON recordsdata that hyperlink certification evaluate reviews and explicitly map the default safety controls to the corporate’s safety insurance policies.
This mapping provides two key advantages:
- Developer Productiveness groups can extra simply observe and promote security-certified templates to their shoppers.
- Safety Evaluation groups can automate assessments for functions constructed with licensed templates. secure-by-default licensed templates symbolize a complete set of controls aligned with firm requirements. Whereas many controls are enabled by default, some are left configurable to keep up flexibility. If Safety Evaluation groups may robotically detect overridden elective controls, they might rapidly decide an utility’s compliance standing. This type of metadata-driven proof is a foundational step towards automating design evaluations and compliance assessments.
STEP 5: Preserve Safe-by-default Library and Measure Affect
To advertise adoption, preserve a centralized, simply accessible library of secure-by-default templates. Guarantee excessive visibility by inserting it in places generally utilized by builders and introducing it to key stakeholders, resembling Safety Evaluation groups and Safety Champions.
To measure the effectiveness of your secure-by-default certification program, take into account constructing a metrics dashboard that tracks safe useful resource adoption, vulnerabilities prevented, and developer hours saved. At Salesforce, we use an automatic instrument to estimate the effort and time saved for every licensed template and show these insights in a dashboard for Management. These metrics are primarily based on the belief that addressing safety points or integrating controls manually would require a measurable quantity of developer time. A pattern dashboard is supplied beneath:
Pattern Dashboard for the secure-by-default certification program
Concluding Ideas
As safety engineers, we now have a novel alternative to make safety simpler and extra scalable for builders. Whereas left-shifted instruments like code scanning and CI/CD guardrails assist detect and block misconfigurations earlier, they nonetheless typically require reactive fixes that interrupt developer move. A extra proactive strategy—embedding safety into reusable, secure-by-default templates—can forestall total courses of points earlier than they happen. This reduces misconfigurations, minimizes rework, and saves vital effort and time throughout groups.
Importantly, secure-by-default certification additionally helps exhibit clear return on funding —a problem for a lot of safety initiatives. By monitoring metrics like bugs prevented and developer hours saved, groups can present tangible enterprise worth, gaining higher management buy-in and selling broader adoption.
By integrating safety into the constructing blocks of software program supply, we allow builders to maneuver sooner and extra securely. Safety turns into a pure a part of growth, not a disruption—turning safety right into a pressure multiplier quite than a gate.
