Supercharge SAST: Semgrep Strategies for Secure Software

Presented at DEF CON 32 (2024), Aug. 8, 2024, 9 a.m. (240 minutes).

Supercharge SAST: Semgrep Strategies for Secure Software" is a meticulously designed workshop aimed at introducing participants to the world of Static Application Security Testing (SAST) through the lens of Semgrep, a cutting-edge tool that combines the simplicity of syntax with the power of complex analysis. Before the Training: Attendees are expected to have a basic understanding of programming concepts and syntax in a programming language such as JavaScript, Python, Go, or C#/Java. While familiarity with common security vulnerabilities (e.g., OWASP Top 10) is beneficial, it is not a prerequisite.To ensure a smooth and productive experience, participants should come equipped with a laptop that has administrative access for software installation. A pre-training checklist, including software installation guides (Semgrep and a preferred text editor/IDE), will be provided to all registered attendees to prepare them for the workshop. What You Will Learn: This workshop is structured to guide attendees from the foundational concepts of SAST and application security to the practical application of Semgrep for identifying and mitigating security risks in codebases. Participants will: - Gain an understanding of SAST and its importance in the AppSec ecosystem. - Learn to navigate Semgrep’s rule syntax and create custom rules tailored to their specific security needs. - Engage in hands-on exercises to apply Semgrep on real-world code snippets and projects, enhancing their learning through practical application. - Explore the Semgrep Playground for testing and refining rules in an interactive environment. - Delve into advanced Semgrep features and techniques for a comprehensive security strategy. - Understand how Semgrep findings can be leveraged for LLM-based code analysis, taking code security to the next level. Technical Level and Tools Used: This workshop is tailored for beginner to intermediate skill levels, focusing on practical, actionable insights that participants can immediately apply to their projects. The primary tool used will be Semgrep, supplemented by the Semgrep Playground for online rule testing. Instructions for installing necessary software and accessing online resources will be provided ahead of the workshop.

Presenters:

• Arjun Gopalakrishna - Senior Software Security Engineering Manager, Azure Security at Microsoft
  Arjun Gopalakrishna is a Senior Software Security Engineering Manager in Azure Security with more than a decade of experience at Microsoft. His work has been instrumental in fortifying Microsoft's Azure platform against a myriad of cyberthreats. His expertise lies in developing and implementing robust security measures to protect cloud-based systems and data. Arjun has presented at DEFCON in 2021, in addition to numerous security talks internally at Microsoft. Arjun's commitment to continuous learning and development, coupled with his passion for cybersecurity, continues to drive his contributions to the field.
• Gautam Peri - Senior Security Engineer, EPSF SERPENT Team at Microsoft
  Gautam Peri is a Senior Security Engineer in EPSF SERPENT (Service Pentest) team at Microsoft. He has over 8 years of experience as a security professional in multiple organizations including Microsoft and Citibank N.A. He started his career as a software developer and became a security professional. Currently, Gautam focuses on securing in Azure Edge & Platform & Devices services at Microsoft. He is passionate about identifying vulnerabilities at scale. Gautam presented at multiple internal events and got accepted to OWASP BASC (Boston Application Security Conference) 2024. Gautam holds CISSP & GCPN certifications, he is committed to continuous learning and development and drives internal knowledge share events.
• Marcelo Ribeiro - Senior Offensive Security Engineer in Azure Security at Microsoft
  Marcelo Ribeiro is a Senior Offensive Security Engineer in Azure Security with over 20 years of experience in various organizations, including Microsoft, IBM, and the Brazilian Navy. As a former Navy Officer, Marcelo was instrumental in establishing the Brazilian Navy's Cyber Security capacity. He also played a pivotal role in building IBM's DFIR (Digital Forensics and Incident Response) practice in Latin America. Currently, Marcelo focuses on enhancing the security of Microsoft's Azure platform against the constantly evolving cyber threats landscape. Always seeking new challenges, Marcelo's commitment to learning keeps his passion for cybersecurity alive. Marcelo holds several certifications, including CISSP, CISM, OSCP, CEH, GXPN, GPEN, GWAPT, GAWN, GPYC, GREM, GISP, GICSP, GRID, GNFA, GCIH, GCIA, GSEC, and MCSE, among others. In 2023, Marcelo was inducted into the EC-Council's CEH Hall of Fame in recognition of his outstanding career achievements.

Similar Presentations:

• ToorCon San Diego 2021 / Free as in Beer: Building a low cost static analysis program (Demo Time)