BSidesSF 2023

Event locked in Sched to limit confusion. See registration to determine current session availability.
YOU ARE REQUIRED TO REGISTER AT https://bsidessf.regfox.com/2023 TO ATTEND THIS WORKSHOP (i.e. this session cannot be reserved with Sched)
-----
This workshop will be a hands-on masterclass by the creators and maintainers of Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool which can help enable development teams to scale their SAST efforts.
-----
Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. We need to move fast, and iterate quickly as new issues emerge. SAST is one piece of a very important puzzle in the SDLC, so using tools effectively is the key to success!

This workshop will be a hands-on masterclass by the creators and maintainers of Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool which can help enable development teams to scale their SAST efforts

We’ll cover:
Best practices in rolling out continuous code scanning -- what to focus on, what to ignore, and how to maintain good working relationships with development teams

How to use this scanning to enforce secure defaults across your org

How to write custom Semgrep rules -- find anti-patterns and enforce security best practices unique to your organization

We will show you how to use our dataflow (taint) engine, how you can write sources, sinks and sanitizers to identify vulnerabilities

We will show new GA and experimental features we have been working on which are not widely adopted yet, and how you can write rules to fit your needs

Finally, explain how Semgrep can be used like a Swiss army knife for a variety of purposes -- alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management


You’ll leave this workshop with knowledge and skills you can immediately put into practice. For internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug finding game to a new level.

Prerequisites:
You should be familiar reading and writing code in at least one programming language
Bring a laptop with a web browser, IDE, git, and the ability to install CLI tools
Familiarity with common vulnerability classes (e.g. OWASP 10 top) will be helpful but is not required