An Open-Supply Instrument for Software program Safety



Cybersecurity Software Security Concept

The startup r2c, based by MIT alumni, offers a database of software security checks to simplify the process of securing code.

The unfortunate reality of the software security industry is that it’s much easier to attack a system than it is to safeguard it. Hackers only need to find one vulnerability to have success, while software developers need to protect their code against all possible attacks.

The asymmetry means that when a solo programmer unwittingly makes a popular app, it quickly becomes a vulnerable fish in an ocean of threats. Larger companies have software security teams, but they’ve developed a reputation among developers for slowing down deployments as they painstakingly review lines of code to safeguard against attacks.

Now the startup r2c is seeking to make securing software a more seamless experience with an open-source tool for proofreading code. In the same way that Grammarly finds grammatical errors or opportunities for improvement in essays and emails, r2c’s tool, called Semgrep, parses lines of code to check for thousands of potential bugs and vulnerabilities.

Startup r2c

The startup r2c helps security professionals scan codebases and identify security vulnerabilities in their software. Pictured are the founders, left to right: Luke O’Malley ’14; Isaac Evans ’13, SM ’15; and Drew Dennison ’13. Credit: Courtesy of r2c, edited by MIT News

At the heart of Semgrep is a database of more than 1,500 prewritten rules that security professionals can incorporate into their code scans. If they don’t see one they want, they can write their own rules using r2c’s intuitive interface and add it to the database for others.

“If you know how to program in a language, you can now write rules and extend Semgrep, and that’s where you basically democratize this field that has only been accessible to people with highly specialized skills,” says r2c Head of Product Luke O’Malley ’14, who co-founded the company with Isaac Evans ’13, SM ’15 and Drew Dennison ’13. “Now that anyone can write a rule, you can tap into people’s specialized knowledge of their fields. That’s the big breakthrough. Semgrep is an open-source project that’s by developers, for developers.”

In addition to simplifying the process of implementing code standards, r2c has fostered a community of security professionals who can share ideas and brainstorm solutions to the latest threats. That support ecosystem has proven crucial in a rapidly evolving industry in which security professionals may wake up on any given morning and read about new vulnerabilities exposed by hacks to some of the biggest tech companies on the planet.

“It can be frustrating to see that computers are so insecure even though they’re 40 or 50 years old,” Dennison says. “I like to remind myself of automobiles. Sixty years into the automotive world we still didn’t have seat belts or airbags. It was really when we started measuring safety and having standards that the industry improved. Now your car has all kinds of fancy safety features. We’d love to do the same thing for software.”

Learning to hack

As undergraduates at MIT, Evans, O’Malley and Dennison lived next to each other in Simmons Hall. The three electrical engineering and computer science students soon began hacking together in various campus programs and side projects. Over the Independent Activities Period of 2011, they landed a contract to help military personnel in the Army use apps on Android phones more securely.

“That really cemented our roles because Drew played CTO of the project, Isaac was CEO, and I was doing product work, and those are the roles we fell into with r2c,” O’Malley says. “It wasn’t officially a company, but we gave ourselves a name and treated it like we were a startup.”

All three founders also took part in the Gordon-MIT Engineering Leadership (GEL) Program.

“GEL really helped me think about how a team works together, and how you communicate and listen,” Dennison says. “It also gave me people to look up to. Joel Schindall [MIT’s Bernard M. Gordon Professor in Product Engineering] was an important mentor. I requested him if we should always flip the Military factor right into a startup, and his recommendation was sound. He stated, ‘Go make errors on another person’s dime for a couple of years. There’s loads of time.’”

Heeding that recommendation, the founders went their separate methods after commencement, becoming a member of completely different firms however at all times conserving their profitable collaborations at the back of their minds.

In 2016, the founders started exploring alternatives within the software program safety area. At MIT, Evans had written his grasp’s thesis on superior software program safety methods, however the founders wished to construct one thing that may very well be utilized by individuals with out that deep technical information.

The founders explored a number of completely different initiatives regarding scanning code earlier than an inner hackathon in 2019, when a colleague confirmed them an outdated open-source venture he’d labored on whereas at Fb to assist analyze code. They determined to spend the hackathon reviving the venture.

The founders got down to add breadth to the device by making it appropriate with extra languages, and depth by enabling it to grasp code at increased ranges. Their aim was to make Semgrep match seamlessly into current safety workflows.

Earlier than new code is deployed by an organization, it sometimes will get reviewed by the safety group (though the founders say safety specialists are outnumbered 100 to at least one by builders at many firms). With Semgrep, the safety group can implement guidelines or checks that run routinely on the code to flag potential points. Semgrep can combine with Slack and different frequent packages to ship the outcomes. It really works with over 25 coding languages right now regarding cell, again finish, entrance finish, and net improvement coding.

On high of the foundations database, r2c presents companies to assist firms get essentially the most out of the bug-finding engine by making certain each codebase is scanned for the precise issues with out inflicting pointless delays.

“Semgrep is altering the way in which that software program might be written, so immediately you’ll be able to go quick and be safe, and that simply hasn’t been attainable for many groups earlier than,” O’Malley says.

A community impact

When a serious vulnerability to a broadly used software program framework often known as Log4Shell was uncovered just lately, r2c’s group Slack channel got here alive.

“Everybody was saying, ‘Okay, right here’s a brand new risk, what are we doing to detect it?’” O’Malley recollects. “They shortly stated, ‘Right here’s variant A, B, C for everybody.’ That’s the facility of democratizing rule writing.”

The founders are continually stunned by the place Semgrep is getting used. Giant clients embody firms like Slack, Dropbox, and Snowflake. The ministry of inside for a big state authorities just lately messaged them about an necessary venture they have been utilizing Semgrep on.

As Semgrep’s reputation continues to develop, the founders imagine they may have the ability to construct out their analytics to provide builders insights into the safety of their codebases instantaneously.

“The broader safety trade doesn’t have a ton of metrics about how effectively we’re doing,” Dennison says. “It’s arduous to reply questions like are we enhancing? Is our software program getting higher? Are we making progress in opposition to the attackers? So how can we get to a degree the place we may give you a code high quality rating? Then immediately you’re making software program safety easy.”

Leave a Reply

Your email address will not be published.