Session Video
Session Slides
About this session
Are you tired of seeing the same types of bugs surface again and again at your company? Do you ever shed tears of weariness or despair at the deluge of false positives your security tools continue sending your way?
Don’t worry, there’s another way! There’s a new approach that many forward-thinking AppSec teams are embracing, including Microsoft, Facebook, Google, Netflix, Dropbox, and more.
These companies are abandoning the Sisyphean task of trying to find every bug, and are instead embracing secure defaults: services, libraries, and frameworks that developers can use that prevent entire vulnerability classes from ever occurring in the first place.
In this talk, we’ll present Semgrep, an open source, lightweight static analysis tool, that when combined with secure defaults can effectively scale your company’s security by eliminating vulnerability classes.
Key Semgrep features:
- Fast - scans code in minutes, not hours or days.
- Does not require the source code you’re scanning to be buildable.
- Comes out of the box with over 1,000 rules, and supports languages including Python, Java, Golang, JavaScript, TypeScript, Ruby, PHP, C, and more.
- Most importantly, Semgrep makes it easy to write custom rules, no fancy DSL required. This empowers AppSec engineers and developers to detect and block company-specific security bugs and anti-patterns as well as enforce best practices.
We’ll demo how to easily write custom Semgrep rules tailored to your specific code base, and how to get continuous security coverage in CI in a just a few minutes.
This workshop will be interactive! We’ll write some Semgrep rules live together and share challenges for attendees to solve.