 |
VOOZH | about |
|
VOOZH | about |
At RSA, we launched Semgrep Multimodal to combine AI reasoning with rule-based detection Learn More โ
Find and fix the issues that matter in your code (SAST)
Fix vulnerabilities in open source dependencies and block malware
Find and fix hardcoded secrets with semantic analysis
Scan and fix AI-generated code the moment it's written
Combine AI reasoning with rule-based analysis for detection, triage, and remediation
Automate, manage, and enforce security across your organization
Build and deploy security pipelines that combine static analysis with AI at scale
Stay up to date on changes to the Semgrep platform, big and small
Protect against software supply chain attacks
Increase security while accelerating development
Prevent the most critical web application security risks
Protect Your Code with Secure Guardrails
Mitigate software supply chain risks
Increase security while accelerating development
Want to read all the docs? Start here
Get the latest news about Semgrep
See how Semgrep can save you time and money
Join the friendly Slack group to ask questions or share feedback
Join us at a Semgrep Event!
See why users love Semgrep
View our library of on-demand webinars
The Semgrep story & values
Join the team!
Become a Semgrep partner
The lean security team is responsible for infrastructure, end-point, and application security. The main goal of the security team is to provide the engineering organization with the appropriate security data (such as security issues, fix rates, etc.) so that the engineering organization can meet its Service Level Objectives (SLOs).
To achieve this goal on the application security side, Thinkific wanted to provide security guardrails for developers and not block developersโ pull requests (PRs) unless high-confidence or reachable issues were detected in their code. Thus, the application security team can ensure that the development velocity does not slow down because of the security process.
The three major challenges that Thinkific faced with the previous application security products were: 1. The scans were very slow (took hours on monorepo), 2. The results were extremely noisy (high false positive rate), and 3. They could not properly configure the products to fit Thinkificโs environment. Due to these issues, even when a developer changes a few lines of code, the application security products would take hours before surfacing issues (if any). Sometimes, even after taking hours to scan, the scan would fail without any additional information to debug the reason for the failure.
In addition to this process being frustrating for the security team, these products became a blocker for fast development. So, the slow scan time and noisy results made these products ineffective in meeting the security teamโs goals.
Aleksandr Krasnov, Staff Security Engineer at Thinkific, first came across Semgrep after talking with . The ability to easily customize Semgrep rules immediately caught Alekโs attention. Alek could easily tweak a Semgrep rule message (which shows up as a PR comment for developers) so that developers understand the context of a security issue.
๐ PR Comment
Example of what a developer would see as a pull request (PR) comment for the above rule
To keep up the fast software development cadence, the ability to control which security issues are surfaced to developers is critical. Thikific uses to manage security touchpoints with developers. The following workflow shows how Thinkific (and many users) use Policies.
According to Alek, getting the right code scanner in place is not the hardest part of the job. Getting all developers aligned on the SAST product and making sure they use it - is the hardest part of the job. Alek achieved this using Semgrep Code and Thinkificโs security champions. Thinkific invests a lot in its security champions program because it wants efficient processes in place when developers liaison with security. So, with Semgrep Code, Thinkificโs developers see a high percentage of true positives as PR comments from Semgrep, and they also have the appropriate context to fix the security issue.
โGetting the developers aligned on a SAST product and making them use it is the hardest part of the job for an AppSec Engineer. We were able to achieve this with Semgrep Code.โ
Aleksandr Krasnov, Staff Security Engineer, Thinkific
Semgrep Supply Chain (Semgrepโs SCA product) . Using lockfiles to do reachability caught Alekโs attention because this approach provides more visibility and fewer false positives. Thinkific reduced the noise by 85% using Semgrep Supply Chain (compared to the previous tools they used)! Due to this high reduction in noise, developers fix the open source dependency issues within the appropriate SLA time frame.
While getting an awesome scanner like Semgrep Code for our SAST was great, Reachability Analysis via Semgrep Supply Chain was the cherry on top.
Aleksandr Krasnov, Staff Security Engineer, Thinkific
๐ policygenius case study awards
Thinkific is excited about (using GPT to get a second opinion on Semgrep Codeโs findings). The initial results have been promising, but the security team wants to test it more before rolling it out to developers. Thinkific has found Semgrep to be an invaluable part of its security program because using Semgrep has enabled it to fix issues that matter while commuting with developers more efficiently.
.jpg){kind=link}
