Chapter Croatia Virtual Meetup - DefectDojo & Semgrep

Schedule:
18:00 - 18:15 - Chapter Croatia Public Service Announcements
18:15 - 19:00-> Dubravko Sever - DefectDojo, vidljivost ranjivosti na jednom mjestu
19:15 - 20:00 -> Grayson Hardaway- Enforcing Code & Security Standards with Semgrep
20:00 -> Virtual drinks and chitchat

Abstracts:

Dubravko Sever - DefectDojo, vidljivost ranjivosti na jednom mjestu
Razvoj sigurnih aplikacija oduvijek je bio izazov, posebice pri agilnom pristupu. Teško je pratiti da li nove komponente i ovisnosti otvaraju nove prilike malicioznim osobama. Stoga kontinuirano automatizirano skeniranje koda i integracije aplikacije je nešto bez čega aplikacija ne može u produkciju. Skeniranje se vrši s više međusobno nepovezanih alata. Međutim tu je DefectDojo da olakša život i integrira Vulnerability Management u razvoj aplikacija i životni ciklus.

Bio:
Dubravko Sever: Nakon dugog niza godina u Sveučilišnom računskom centru SRCE, danas zaposlen kao sigurnjak u Deutsche Telekom, Pan-net, gdje se bavi sigurnošću Clouda (in/of) kao i sigurnošću orkestrirane okoline mikroservisa.

Grayson Hardaway: Enforcing Code & Security Standards with Semgrep
We’ll discuss a program analysis tool we’re developing called Semgrep. It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query:
subprocess.open(..., shell=True)
This will even find snippets like:
import subprocess as s
s.open(f'rm {args}', shell=True)

Or find hardcoded credentials using the query:
boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )

Source code: https://github.com/returntocorp/semgrep
Test in your browser: https://semgrep.live/

Bio:
Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking.