June 17

Workshop takeaways: Scaling Your Security Program with Semgrep


My key takeaways

  • Detecting the lack of using secure defaults is much easier then finding bugs
  • "You can get amazing security wins if you can get a bit draconian about coding standards"
  • Blue teams can win, if they outmaneuver attackers in the OODA loop: 👀 🧠 👍 💪
  • generic checks can provide a lot of value, checks specific to your company can have a massive ROI
  • static code analysis may help new developers get up to speed faster by giving them hints on company specific coding standards
  • it may also help me as a dev to instantly create more secure code e.g. by using Semgrep with predefined OWASP Top 10 rules
  • "Semgrep" = semantic globally search for a regular expression and print matching lines
    • grep is a common Unix console program
  • Semgrep is well integrated in Gitlab
  • semgrep playground can be used for testing the tool with out the need to install anything
  • semgrep can also be used to scan for secrets and credentials -> no more accidential leaking 😀
  • polyglot file support (like JS in HTML) is coming soon
  • semgrep is aware of comments and filters them out; No need to write rules to NOT find patterns in comments


Semantic means it’s more than "syntactic", like handling import aliasing — @clintgibler


additional links



code review, devsec, DevSecOps

You may also like

Event takeaways: BSidesMeSh21 – day 2

Event takeaways: BSidesMeSh21 – day 2

Event takeaways: BSidesMeSh21 – day 1

Event takeaways: BSidesMeSh21 – day 1
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}