Scaling your AppSec Program with Secure Defaults
12-09, 13:00–17:00 (Europe/London), Workshop Room 4

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Content overview

  • Why code scanning is useful
  • Intro to Semgrep
  • Rule writing (Hands on)
  • Code scanning best practices
  • Adding Semgrep to CI (Hands on)
  • Semgrep CLI (Hands on)
  • Advanced Semgrep features
  • Taint mode (Hands on)
  • Secure Defaults
  • Guardrail rules (Hands on)
  • Remediation guidance research
  • Autofix rules (Hands on)
  • Bring your own code (Hands on)
  • Q&A

Workshop requirements:
- A laptop with a web browser,
- Not required, but may be helpful to have Semgrep installed locally (see

Claudio is a veteran security expert. After completing his Master in Computer Engineering at the Politecnico di Milano University, he started a now more than 15 years long journey in the security space. Security consultant first, then moving through different roles, from technical sales engineering to security research and product engineering. This has allowed him to experience application security from a variety of perspectives.
He fell in love with static source code analysis early on and spent most of his career working with, and on, the leading static analysis solutions.
He’s now leading the security research team at Semgrep and trying to make the world a safer place, one rule at a time.
In his free time he enjoys doing way too many things. If he had to pick up four: synthesizer nerd, avid runner, beginner Go player, foreign languages enthusiast.