The Silicon Review - Best Business Review Magazine 50 Most Trustworthy Companies 2019 | Page 76
Securing software, together – Semmle
A code analysis platform for finding zero-days and automating variant analysis
S
emmle believes security is
a shared responsibility. Its
mission is to secure all software
by bringing the security and
development communities together.
By combining expertise in the
fields of databases, programming
languages, data science, and
security, Semmle is making
software truly searchable, allowing
deep meaningful questions to be
answered, and insights to be shared.
A problem that it needs to solve
together, with developers, security
researchers and the community
at large. The firm enables this
collaboration by providing, for
the first time, a technology that
helps automate variant analysis:
the process of finding all instances
of a coding mistake that caused a
security incident. The company
treats the source code itself as
a database, and deep semantic
analyses can be expressed as simple
queries.
76
This helps bridge the divide
between developers and security
teams, because now security teams
can share their knowledge with
every developer, in the form of
automated queries, that can be
applied near time zero in every
pull request. Developers love the
results because they’re accurate and
relevant. The same sharing happens
at a larger scale in the community:
security teams contribute back
their queries to an open-source
repository curated by Semmle,
so best practices are shared.
The People
The firm believes the sky is the
limit when people with different
backgrounds and skill set work
as a team to solve big challenges.
Guided by a strong strategic vision,
its leadership team is committed to
cultivating strong company culture,
unleashing the full potential of every
member of the team, and making its
customers and open-source teams
successful in creating secure and
trustworthy code.
Product: QL
QL helps you explore code
quickly to find and eradicate all
variants of vulnerabilities before
they become a problem. By
automating variant analysis, QL
enables product security teams
to find zero-days and variants of
critical vulnerabilities.
The Unknown
Vulnerability
QL allows you to quickly perform a
variant analysis to find previously
unknown security vulnerabilities.
QL treats code as data allowing you
to write custom queries to explore
your code. QL ships with extensive
libraries to perform control and
data flow analysis taint tracking
and explore known threat models
without having to worry about
low-level language concepts and
compiler specifics. Supported
languages include C/C++, C#,
Java, Javascript, Python and more.
Rapidly interrogate your
code
QL is the most efficient way to
explore your code and identify
even the most complex semantic
patterns. QL is easy to learn and
quick to iterate. Write and execute
QL queries locally using QL plugins
for your favorite IDE. Use the LGTM
Query Console to write QL directly
in your web browser and query
your entire portfolio for security
vulnerabilities.
Scale security analysis
With QL, you can run out of the
box or custom queries on multiple
codebase to get accurate and
relevant security analyses, allowing
you to focus on the most critical
issues. Each QL query represents
a piece of security knowledge —
codified, readable, and executable —
ready to be applied to any number
of projects. QL is a high performing
code analysis engine that analyses
the largest and most complex
applications in the world.
Community-powered
security
Scale your security expertise by
tapping into the Semmle security
community. With over 1600 QL
queries contributed by the Semmle
Security Research Team as well as
its growing customer community,
your security team is instantly
extended with the capabilities of
the top security researchers on