Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep

A talk by Clint Gibler
Head of Security Research, r2c

Register to watch this content

By submitting your email you agree to the Terms of Service and Privacy Statement
Watch this content now

Tracks covered by this talk

About this talk

Are you tired of seeing the same types of bugs surface again and again at your company? Do you ever shed tears of weariness or despair at the deluge of false positives your security tools continue sending your way?

Don’t worry, there’s another way! There’s a new approach that many forward-thinking AppSec teams are embracing, including Microsoft, Facebook, Google, Netflix, Dropbox, and more.

These companies are abandoning the Sisyphean task of trying to find every bug, and are instead embracing secure defaults: services, libraries, and frameworks that developers can use that prevent entire vulnerability classes from ever occurring in the first place.

In this talk, we’ll present Semgrep (https://semgrep.dev), an open source, lightweight static analysis tool, that when combined with secure defaults can effectively scale your company’s security by eliminating vulnerability classes.

Key Semgrep features:

  • Fast - scans code in minutes, not hours or days.
  • Does not require the source code you’re scanning to be buildable.
  • Comes out of the box with over 1,000 rules, and supports languages including Python, Java, Golang, JavaScript, TypeScript, Ruby, PHP, C, and more.
  • Most importantly, Semgrep makes it easy to write custom rules, no fancy DSL required. This empowers AppSec engineers and developers to detect and block company-specific security bugs and anti-patterns as well as enforce best practices.

We’ll demo how to easily write custom Semgrep rules tailored to your specific code base, and how to get continuous security coverage in CI in a just a few minutes.

This workshop will be interactive! We'll write some Semgrep rules live together and share challenges for attendees to solve.

Clint Gibler

Head of Security Research, Speaker, Co-founder of tldrsec.com, PhD

Sponsor this Event

Your logo could go here!

If you'd like to get your brand in front of attendees contact us.