Senior Security Engineer
Staff Security Engineer @Slack
Slack is hiring!
Slack is used by millions of people every day – we need engineers who want to make that experience as secure and enjoyable as possible.
Both of us have lots of experience implementing static analysis programs.
Erin has previously implemented a static analysis
program for 1200 devs
across multiple languages for lots of different compliance standards.
Tim Faraci has implemented:
Medium and Large Companies
Experience in Commercial & Open Source
Current Commercial Problem - SAST
Hours vs Minutes
200k + Implementaion
Yearly Sales Negotiations
Mystery Secret Scanning Sauce
There is a Better Way!
Open Source - Easier Implementation
Get Scan Results Fast! Keep Devs Happy!
Lots of Language Support
Leverage the Power of Open Source Community
Get Compliance Checkbox!
Check Out Semgrep!
2. Ability to tune and define the ruleset
3. Ability to build and control our own infra
It's a language agnostic static analysis engine.
It can injest a language's abstract syntax tree and a ruleset to analyse codebases.
It uses parsers to create strongly typed, representative syntax trees
Download open source rules or
write your own
The rules are yaml files; they're easy to write or modify
Shout out to r2c!
Pull Request Scan
Dev Requesting False Positive Via GitHu
Because we own the infrastructure. We can make it faster!
How easy is it to add a language to semgrep?
An intern could do it!
Or two interns
Who are almost done with computer science degrees
We've been working on:
Static analysis Using Semgrep (with) Hack Integration
Generic AST parser conversion
Finally, rule creation
Putting it all together
1. Enabled file
2. Empty json for false positives
3. Review the results
4. Bam! You're scanning that codebase
5. You are now in...
The SNOW team
Our wonderful summer interns, Nicholas and David
The AppSec Village
Antonio de Jesus Ochoa Solano