Brandon Wu

Brandon Wu

Brandon Wu

Program Analysis Engineer - Semgrep

Brandon Wu is a program analysis engineer at Semgrep, working on making application security fast, frictionless, and available to all through accessible static analysis. He graduated from Carnegie Mellon in 2022 with a degree in computer science, and has previously taught as a visiting lecturer for CMU’s introductory functional programming class.

Presentation Abstract

Finding Bugs and Scaling Your Security Program with Semgrep

Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. We need to move fast, and iterate quickly as new issues emerge. SAST is one piece of a very important puzzle in the SDLC, so using tools effectively is the key to success!

This workshop will be a hands-on masterclass by the creators and maintainers of Semgrep (https://github.com/semgrep/semgrep), an open source, lightweight static analysis tool which can help enable development teams to scale their SAST efforts

We’ll cover:

  • Best practices in rolling out continuous code scanning – what to focus on, what to ignore, and how to maintain good working relationships with development teams
  • How to use this scanning to enforce secure defaults across your org
  • How to write custom Semgrep rules – find anti-patterns and enforce security best practices unique to your organization
  • We will show you how to use our dataflow (taint) engine, how you can write sources, sinks and sanitizers to identify vulnerabilities
  • We will show new GA and experimental features we have been working on which are not widely adopted yet, and how you can write rules to fit your needs
  • Finally, explain how Semgrep can be used like a Swiss army knife for a variety of purposes – alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), when generally sensitive files are modified, such as core authorization logic or secret management, or in the IDE before vulnerabilities are even committed

You’ll leave this workshop with knowledge and skills you can immediately put into practice. For internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug finding game to a new level.

Prerequisites:

  • You should be familiar reading and writing code in at least one programming language
  • Bring a laptop with a web browser, IDE, git, and the ability to install CLI tools
  • Familiarity with common vulnerability classes (e.g. OWASP 10 top) will be helpful but is not required

Get Tickets