Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep

Are you tired of seeing the same types of bugs surface again and again at your company? Do you ever shed tears of weariness or despair at the deluge of false positives your security tools continue sending your way?

Don’t worry, there’s another way! There’s a new approach that many forward-thinking AppSec teams are embracing, including Microsoft, Facebook, Google, Netflix, Dropbox, and more.

These companies are abandoning the Sisyphean task of trying to find every bug, and are instead embracing secure defaults: services, libraries, and frameworks that developers can use that prevent entire vulnerability classes from ever occurring in the first place.

During this show, Clint will present Semgrep (https://semgrep.dev), an open-source, lightweight static analysis tool, that when combined with secure defaults can effectively scale your company’s security by eliminating vulnerability classes.

Key Semgrep features:
Fast - scans code in minutes, not hours or days.
Does not require the source code you’re scanning to be buildable.
Comes out of the box with over 1,000 rules, and supports languages including Python, Java, Golang, JavaScript, TypeScript, Ruby, PHP, C, and more.

Most importantly, Semgrep makes it easy to write custom rules, no hard to learn DSL required. This empowers AppSec engineers and developers to detect and block company-specific security bugs and anti-patterns as well as enforce best practices.

Clint will also demo how to easily write custom Semgrep rules tailored to your specific codebase, and how to get continuous security coverage in CI in just a few minutes.

OUR GUEST: CLINT GIBLER

Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups. Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and DevSecCon Seattle/London/Tel Aviv/Singapore. Clint holds a Ph.D. in Computer Science from the University of California, Davis.

Want to keep up with security research? Check out tl;dr sec, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web. https://tldrsec.com/

Clint Gibler can be found on social media here:
Twitter: https://twitter.com/clintgibler