Drew Dennison - Detect complex code patterns using semantic grep

We’ll discuss a static analysis tool we’re developing called Semgrep (https://github.com/returntocorp/semgrep#semgrep) and compare it to tools like gosec. Semgrep is a tool for writing security and correctness queries on source code (for Go, Python, Java, C, and JS) with a simple grep-like interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle (http://coccinelle.lip6.fr/), for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time at r2c (https://r2c.dev/). Semgrep is open-source and comes with a registry of OWASP Top 10 security checks. It’s ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts. For example, with Semgrep you can: Simply match function calls The pattern exec.Command(...) matches exec.Command() called with any arguments or across multiple lines - but not the string "exec" in comments or hard-coded strings, because it's aware of the code structure. Find use of SSLv3 tls.Config{..., MinVersion: $TLS.VersionSSL30, ...} Find hardcoded JWT tokens var $X = []byte("...") ... $TOKEN := jwt.NewWithClaims(...) ... $Y := $TOKEN.SignedString($X) Source code: https://github.com/returntocorp/semgrep Test in your browser: https://semgrep.live/

SPEAKER:
Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Previously at Palantir, he led data-driven cyber insurance platform development and technical incident response on major data leaks for Fortune 100 companies. Drew received his degree in Computer Science from MIT. He lives in SF and spends his free time racing sailboats, camping, and trying to outsmart his two cats.

Slides: https://r2c.dev/mile_high_gophers.pdf
---
Mile High Gophers Swag: https://teespring.com/stores/mile-high-gophers-official