Scaling Your Security Program with Semgrep

A talk by Clint Gibler
Head of Security Research, r2c

Register to watch this content

By submitting your email you agree to the terms
Watch this content now

Tracks covered by this talk

About this talk

Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up.

How can we help empower our engineering counterparts to ship software quickly and securely?

This workshop will be a hands-on masterclass of using Semgrep, an open source, lightweight static analysis tool, to do just that.

Semgrep can be used to manually find bugs and code hotspots, or easily integrated into any CI system to enforce high code quality on every pull request.

Why Semgrep?

  • It’s free and open-source - use it in your environment however you like!
  • It supports 10+ languages, with more constantly being added. Master one tool and use it everywhere in your polyglot environment, no need to learn and maintain many language-specific tools.
  • Over 1,000 out-of-the-box, community-written open-source rules covering the OWASP Top 10 and security anti-patterns. There are also performance, correctness, and robustness rules as well - win over your colleagues in engineering!
  • It’s fast - Semgrep scans large codebases in minutes, not hours or days.
  • Semgrep rules look like the code you’re targeting - target bad code specific to your company in minutes, no need to spend weeks learning a complicated, proprietary DSL.

This workshop will be about 90% live walkthroughs and hands-on lab exercises.

We’ll cover:

  • How to use Semgrep to start getting security coverage of all of your repos continuously in CI in minutes
  • Best practices in rolling out continuous code scanning - what to focus on, what to ignore, and how to maintain good working relationships with development teams
  • How to use this scanning to enforce secure defaults across your org
  • How to write custom Semgrep rules - find anti-patterns and enforce security best practices unique to your organization.

You’ll leave this workshop with knowledge and skills you can immediately put into practice: for internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug-finding game to a new level.

For more info on this session, please visit the session page at Scaling Your Security Program with Semgrep!!

Clint Gibler

Head of Security Research, Speaker, Co-founder of tldrsec.com, PhD

Sponsor this Conference

Your logo could go here!

If you'd like to get your brand in front of attendees contact us.
None