Digital Meetup - "Diary of a DevSecOps Kid" & "Detect Complex Code Patterns"

AGENDA

• 7:00pm: Lobby & Networking (20mins)
• 7:20pm: Introduction & Announcement (10mins)
• 7:30pm: "Diary of a DevSecOps Kid 2 (Tool)" by Fabian Lim
• 8.30pm: "Detect Complex Code Patterns Using Semantic grep" by Drew Dennison

ONLINE PLATFORM
The Meetup will be held on Hopin: https://hopin.to/events/div0-digital-meetup-diary-of-devsecops-kid-detect-complex-code-patterns

THANK YOU!
SUSTAINABLE PARTNER: ICE71
SUSTAINABLE SPONSOR: Centurion Information Security
SUPPORTING PARTNER: Association of Information Security Professionals (AiSP)

ABSTRACT
# Diary of a DevSecOps Kid 2 (Tool) #
The DevSecOps movement is mainly a cultural shift in mindset but often enabled by so-called “DevSecOps tools”. While tooling is important, the focus must still be on the people and processes that set the foundation of the transformation.

In my stories, I share how some tools enable the DevSecOps transformation by shifting (left) mindsets to integrate security early into the software development lifecycle.

# Detect Complex Code Patterns Using Semantic grep #
We’ll discuss a program analysis tool we’re developing called Semgrep (https://github.com/returntocorp/semgrep#semgrep). It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle (http://coccinelle.lip6.fr/), for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query:
subprocess.open(..., shell=True)
This will even find snippets like:
import subprocess as s
s.open(f'rm {args}', shell=True)

Or find hardcoded credentials using the query:
boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )

Source code: https://github.com/returntocorp/semgrep
Test in your browser: https://semgrep.live/

BIO
FABIAN LIM is a DevSecOps servant lead. His day-to-day work ranges from managing stakeholders’ security concerns to integrating solutions using security technologies - which often lead to a better, more secure outcome. He does all these while writing middleware integrations for both on-premise and cloud in manners now known as Security as Code and Infrastructure as Code.

More here: https://about.me/fabian.Lim

DREW DENNISON is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Previously at Palantir, he led data-driven cyber insurance platform development and technical incident response on major data leaks for Fortune 100 companies. Drew received his degree in Computer Science from MIT. He lives in SF and spends his free time racing sailboats, camping, and trying to outsmart his two cats.

Follow Drew Dennison on Twitter: https://twitter.com/drewdennison

IMPORTANT NOTICES

• Code of Conduct: https://www.div0.sg/code-of-conduct
• Terms of Use & Disclaimer Notice: https://www.div0.sg/terms-of-use-disclaimer-notice