784: Semmle – The New Method of Code Analysis
Today, developers and security teams are at odds. Developers are under the gun to publish code quickly, which could result in sloppy coding errors and could also mean security teams don’t have enough time to review code for vulnerabilities.
Software underpins the world’s most commonly used technology. Windows contains tens of millions of lines of code. The software powering BMW cars includes some 100 million lines. Google’s empire of internet services — from Google Search and Chrome to Gmail and Maps — includes about2 billion. But it only takes a single coding error or bug to expose every user.
This is where Semmle comes in. Semmle allows developers to find vulnerabilities across a company’s entire codebase — no matter the programming language — in minutes instead of days. Before Semmle, this wasn’t technically possible. Semmle also allows developers to find variants of a known vulnerability across an entire codebase using deep semantic search. This was also not technologically possible before Semmle.
Their technology is like a Google for vulnerabilities. That’s the reason that massive companies like Credit Suisse, Dell, Google, Microsoft, NASA and Nasdaq, trust Semmle’s technology to keep their code secure.
Oege De Moor is the CEO and founder of Semmle. I invited him onto today’s daily tech podcast to talk about how they believe that security is a shared responsibility, a problem that we all need to solve together, with developers, security researchers and the community at large.
I learn how Semmle enables this collaboration by providing technology that helps automate variant analysis: the process of finding all instances of a coding mistake that caused a security incident. They treat the source code itself as a database, and deep semantic analyses can be expressed as simple queries.
This helps bridge the divide between developers and security teams, because now security teams can share their knowledge with every developer, in the form of automated queries, that can be applied near time zero in every pull request. Developers love the results because they’re accurate and relevant. The same sharing happens at a larger scale in the community: security teams contribute back their queries to an open source repository curated by Semmle, so best practices are shared.
- Connect with Oege De Moor on LinkedIn and Twitter
- Learn more about Semmle
- Follow on LinkedIn, Facebook and Twitter
If you want to gather around a virtual campfire and have a chat or ask me a question, you can message me, leave a virtual voicemail or even buy your friendly podcast host a coffee.