Detect complex code patterns using semantic grep

In this talk, we'll discuss Semgrep, a fast and open-source static-analysis tool originally developed at Facebook. Semgrep makes it very simple to write custom rules and to integrate to any CI environment. It supports 17 languages including Java, has a thriving user community, and is adopted by thousands of developers and reference customers including Dropbox, Snowflake, Figma, and Chegg.

In addition to introducing semantic grep, one of the Semgrep maintainers will co-write a Semgrep Java pattern for detecting potential critical vulnerabilities like reverse-shell execution or SQL injection with Kurt Boberg, a Lead Application Security Engineer from Chegg.

Source code: https://github.com/returntocorp/semgrep
https://semgrep.dev/

Speaker bios:

Daghan Altas is the head of operations for r2c, a small startup working on giving security tools directly to developers Previously he was a Senior Director of Product Management at Cisco Meraki, responsible for the Security, SD-WAN, Service Provider, MDM and Data Analytics product portfolios. Daghan received his BS in Electronics from Université Paul Sabatier in France and received his MEng. in Microelectronics from McGill University in Montreal Canada. He also holds a Master of Information and Data Science degree from UC Berkeley.

Kurt Boberg has been an application security engineer for about 4 years. Before that he was what would now be considered DevOps building datacenter automation tooling. He uses Semgrep & domain knowledge to abstract security bugs into behavioral signatures to help our engineers squash classes of bug rather than individual instances of vulnerable antipatterns.