My key takeaways
- Detecting the lack of using secure defaults is much easier then finding bugs
- "You can get amazing security wins if you can get a bit draconian about coding standards"
- Blue teams can win, if they outmaneuver attackers in the OODA loop: 👀 🧠 👍 💪
- generic checks can provide a lot of value, checks specific to your company can have a massive ROI
- static code analysis may help new developers get up to speed faster by giving them hints on company specific coding standards
- it may also help me as a dev to instantly create more secure code e.g. by using Semgrep with predefined OWASP Top 10 rules
- "Semgrep" = semantic globally search for a regular expression and print matching lines
- grep is a common Unix console program
- Semgrep is well integrated in Gitlab
- semgrep playground can be used for testing the tool with out the need to install anything
- semgrep can also be used to scan for secrets and credentials -> no more accidential leaking 😀
- polyglot file support (like JS in HTML) is coming soon
- semgrep is aware of comments and filters them out; No need to write rules to NOT find patterns in comments
Quote
Semantic means it’s more than "syntactic", like handling import aliasing — @clintgibler
Env
- Provided by Open Security Summit
- Presenter:
additional links
- https://semgrep.dev
- https://open-security-summit.org/sessions/2021/mini-summits/jun/devsecops/scaling-security-program-with-semgrep/
- past 9 Semgrep focused sessions at past OSS events
- https://lab.github.com/returntocorp/intro-to-semgrep#
- supported languages in semgrep