How to scale software quality and security using the open source tool Semgrep
2023-10-14 , Hochschule München - R1.007

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.


Content overview

  • Why code scanning is useful
  • Intro to Semgrep
  • Rule writing (Hands on)
  • Code scanning best practices
  • Adding Semgrep to CI (Hands on)
  • Semgrep CLI (Hands on)
  • Advanced Semgrep features
  • Taint mode (Hands on)
  • Secure Defaults
  • Guardrail rules (Hands on)
  • Remediation guidance research
  • Autofix rules (Hands on)
  • Bring your own code (Hands on)
  • Q&A

Which keywords describe your submission?:

Application security, secure defaults, developer-focused security tools, modern static analysis

Pieter De Cremer (@0xDC0DE) is a Senior Security Researcher at Semgrep, a startup working on open source static analysis tools that fit the modern developer workflow. Previously Pieter obtained his PhD doing research for the company Secure Code Warrior in cooperation with Ghent University. Pieter designed, implemented, and evaluated improvements to both training and tools provided by this company. Pieter hosts a youtube channel where he creates Semgrep tutorials as well as other security research content (https://www.youtube.com/@0xDC0DE) and has previously spoken at conferences such as OWASP, BruCON, BSides, and DEF CON. In his spare time, Pieter enjoys hitting the security conference circuit to engage with other enthusiasts around the world, his afternoon coffee ritual, and a few rounds of Apex Legends.