Workshop takeaways: Scaling Your Security Program with Semgrep

My key takeaways

• Detecting the lack of using secure defaults is much easier then finding bugs
• "You can get amazing security wins if you can get a bit draconian about coding standards"
• Blue teams can win, if they outmaneuver attackers in the OODA loop: 👀 🧠 👍 💪
• generic checks can provide a lot of value, checks specific to your company can have a massive ROI
• static code analysis may help new developers get up to speed faster by giving them hints on company specific coding standards
• it may also help me as a dev to instantly create more secure code e.g. by using Semgrep with predefined OWASP Top 10 rules
• "Semgrep" = semantic globally search for a regular expression and print matching lines
  • grep is a common Unix console program
• Semgrep is well integrated in Gitlab
• semgrep playground can be used for testing the tool with out the need to install anything
• semgrep can also be used to scan for secrets and credentials -> no more accidential leaking :D
• polyglot file support (like JS in HTML) is coming soon
• semgrep is aware of comments and filters them out; No need to write rules to NOT find patterns in comments

Quote

Semantic means it's more than "syntactic", like handling import aliasing -- @clintgibler

Env

• Provided by Open Security Summit
• Presenter:
  • Clint Gibler

additional links

• https://semgrep.dev
• https://open-security-summit.org/sessions/2021/mini-summits/jun/devsecops/scaling-security-program-with-semgrep/
• past 9 Semgrep focused sessions at past OSS events
• https://lab.github.com/returntocorp/intro-to-semgrep#
• supported languages in semgrep

Slides

• https://bit.ly/2021-Open-Sec-Summit-Semgrep