Are you tired of seeing the same types of bugs surface again and again at your company? Do you ever shed tears of weariness or despair at the deluge of false positives your security tools continue sending your way?
Don’t worry, there’s another way! There’s a new approach that many forward-thinking AppSec teams are embracing, including Microsoft, Facebook, Google, Netflix, Dropbox, and more.
These companies are abandoning the Sisyphean task of trying to find every bug, and are instead embracing secure defaults: services, libraries, and frameworks that developers can use that prevent entire vulnerability classes from ever occurring in the first place.
In this talk, we’ll present Semgrep (https://semgrep.dev), an open source, lightweight static analysis tool, that when combined with secure defaults can effectively scale your company’s security by eliminating vulnerability classes.
Key Semgrep features:
We’ll demo how to easily write custom Semgrep rules tailored to your specific code base, and how to get continuous security coverage in CI in a just a few minutes.
This workshop will be interactive! We'll write some Semgrep rules live together and share challenges for attendees to solve.