Semgrep: Modern Static Analysis with Isaac Evans


Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices.

R2C has developed a fast, open-source static analysis tool called Semgrep. Semgrep provides syntax-aware code scanning and a database of thousands of community-defined rules to compare your code against. Semgrep also makes it easy for security engineers and developers to define custom rules to enforce their organization’s policies. R2C’s platform has been adopted by industry leaders such as Dropbox and Snowflake, and recently received the “Disruptive Innovator” distinction at Forbes’ 2020 Cybersecurity Awards.

Isaac Evans is the Founder and CEO of R2C. Before founding R2C he was an Entrepreneur in Residence at Redpoint Ventures and a computer scientist at the US Department of Defense. Isaac joins the show today to talk about how R2C is helping teams improve their cloud security, why static analysis is a natural fit for CI/CD workflows, and what to expect from R2C and the Semgrep project in the future.

Sponsorship inquiries: sponsor@softwareengineeringdaily.com

Transcript

Transcript provided by We Edit Podcasts. Software Engineering Daily listeners can go to weeditpodcasts.com/sed to get 20% off the first two months of audio editing and transcription services. Thanks to We Edit Podcasts for partnering with SE Daily. Please click here to view this show’s transcript.

Sponsors

Panther is a cloud-native security analytics platform built by a veteran team of security practitioners from high-tech companies like Airbnb and Amazon to help address modern security challenges. Craft expressive Python detections to identify specific activity in your environment and generate high-signal alerts in real time. Process and normalize data from across your environment to build a scalable security data lake in AWS or Snowflake that grows with your business. Check out Panther today. 

Oracle for Startups delivers enterprise cloud at a startup price tag, with free cloud credits and 70% off industry-leading cloud services to help you reel in the big fish—confidently. And, with multi-cloud support and no vendor lock-in, you’re free to keep building in any way you choose. Your partnerships should be assets, not roadblocks to your success. To learn more, visit oracle.com/goto/sedaily.

Stream provides an easy-to-integrate chat solution for any application. With robust SDKs and an API built for ease of use, scalability, reliability, and security, product teams can focus on what makes their app unique, rather than spending months on building a chat infrastructure. Stream’s feature-rich products include robust client-side SDKs for iOS, Android, React, React Native, Flutter, and support for the most commonly used server-side languages; scalable and secure APIs; and a beautiful UI kit. Check it out at getstream.io/SED. 

Courier is the fastest way to build notifications for your application. With Courier’s easy-to-use API and software, developers and product teams can reach users across every channel – email, SMS, push, and chat apps like Slack and WhatsApp. From designing templates to setting delivery rules and managing user preferences, you’ll get a complete notifications system that’s ready to be deployed in hours. Create your free account at: courier.com/sedaily.