Securing software, together – Semmle

A code analysis platform for finding zero-days and automating variant analysis

Semmle believes security is a shared responsibility. Its mission is to secure all software by bringing the security and development communities together. By combining expertise in the fields of databases, programming languages, data science, and security, Semmle is making software truly searchable, allowing deep meaningful questions to be answered, and insights to be shared. A problem that it needs to solve together, with developers, security researchers and the community at large. The firm enables this collaboration by providing, for the first time, a technology that helps automate variant analysis: the process of finding all instances of a coding mistake that caused a security incident. The company treats the source code itself as a database, and deep semantic analyses can be expressed as simple queries.

This helps bridge the divide between developers and security teams, because now security teams can share their knowledge with every developer, in the form of automated queries, that can be applied near time zero in every pull request. Developers love the results because they’re accurate and relevant. The same sharing happens at a larger scale in the community: security teams contribute back their queries to an open-source repository curated by Semmle, so best practices are shared.

The People

The firm believes the sky is the limit when people with different backgrounds and skill set work as a team to solve big challenges. Guided by a strong strategic vision, its leadership team is committed to cultivating strong company culture, unleashing the full potential of every member of the team, and making its customers and open-source teams successful in creating secure and trustworthy code.

Product: QL

QL helps you explore code quickly to find and eradicate all variants of vulnerabilities before they become a problem. By automating variant analysis, QL enables product security teams to find zero-days and variants of critical vulnerabilities.

The Unknown Vulnerability

QL allows you to quickly perform a variant analysis to find previously unknown security vulnerabilities. QL treats code as data allowing you to write custom queries to explore your code. QL ships with extensive libraries to perform control and data flow analysis taint tracking and explore known threat models without having to worry about low-level language concepts and compiler specifics. Supported languages include C/C++, C#, Java, Javascript, Python and more.

Rapidly interrogate your code

QL is the most efficient way to explore your code and identify even the most complex semantic patterns. QL is easy to learn and quick to iterate. Write and execute QL queries locally using QL plugins for your favorite IDE. Use the LGTM Query Console to write QL directly in your web browser and query your entire portfolio for security vulnerabilities.

Scale security analysis

With QL, you can run out of the box or custom queries on multiple codebase to get accurate and relevant security analyses, allowing you to focus on the most critical issues. Each QL query represents a piece of security knowledge — codified, readable, and executable — ready to be applied to any number of projects. QL is a high performing code analysis engine that analyses the largest and most complex applications in the world.

Community-powered security

Scale your security expertise by tapping into the Semmle security community. With over 1600 QL queries contributed by the Semmle Security Research Team as well as its growing customer community, your security team is instantly extended with the capabilities of the top security researchers on the planet, working to secure your software. Give back by sharing your security analyses and helping it work together to secure the code that runs the world.

Open Security

Nowhere is this more important than with open-source software. Every company developing software today is critically dependent on the security of the open-source software underpinning their applications. Checking for dependencies and known vulnerabilities is a good start, but it’s not enough.

Securing Open Source Software

Securing open source software requires a shift in the open-source community. Only the largest organizations in the world have the necessary resources to secure their underlying components, and most of this security research is not shared with the wider community, leading to a duplication of effort. Sharing its collective security expertise is imperative if the company is to succeed in securing open-source software.

Making security expertise shareable is central to the Semmle mission. Its security analyses are publically available in its open-source QL repository. Each QL query represents a piece of security knowledge — codified, readable, and executable — ready to be applied to any number of projects. To date, over 1600 queries have been contributed by Semmle and its customers and partners in the fight to secure open-source.

 “At Semmle, we believe that security is a shared responsibility, a problem that we need to solve together, with developers, security researchers and the community at large.”