SecAppDev 2023 workshop details

How to scale software quality and security using the open source tool Semgrep

Learning goal: Why the current approach to software security is not working. How to automate code review to free up your time for higher impact work. Best practices in rolling out continuous code scanning, and how to write custom Semgrep rules.

Friday June 16th, 09:00 - 17:30
Room Lemaire
Abstract

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Content overview
  • Why code scanning is useful
  • Intro to Semgrep
  • Rule writing (Hands on)
  • Code scanning best practices
  • Adding Semgrep to CI (Hands on)
  • Semgrep CLI (Hands on)
  • Advanced Semgrep features
  • Taint mode (Hands on)
  • Secure Defaults
  • Guardrail rules (Hands on)
  • Remediation guidance research
  • Autofix rules (Hands on)
  • Bring your own code (Hands on)
  • Q&A
Content level

Deep-dive

Target audience

Any web application security professional or developer interested in secure coding

Prerequisites

Nothing is required besides basic programming skills.

Technical requirements

Laptop with internet connection. Installing Semgrep or trying out Semgrep’s online playground can be useful but is not required.

Join us for SecAppDev. You will not regret it!

Pieter De Cremer
Pieter De Cremer

Senior security researcher, Semgrep

Expertise: Application security, secure defaults, developer-focused security tools

More details

Claudio Merloni
Claudio Merloni

Security research manager, Semgrep

Expertise: Application security, secure development and static source code analysis

More details

Join us for SecAppDev. You will not regret it!

Other workshops

SecAppDev offers the most in-depth content you will find in a conference setting