Isaac Evans talks about semgrep - a lightweight, offline, open-source, static code analysis tool.

SecTools Episode 20 with Isaac Evans

Isaac Evans
  • Posed on

    Jul 5, 2020

Isaac Evans is the leader of r2c (https://r2c.dev/), a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

Simply match function calls

The pattern exec(…) matches exec() called with any arguments or across multiple lines - but not the string “exec” in comments or hard-coded strings, because it’s aware of the code structure.

Match function arguments

requests.get(..., verify=False, ...) matches
requests.get(url, timeout=3, verify=False)

Supported languages: Python, JavaScript, Golang, Java, more coming.

Other Episodes

Michael Boelen
04
Apr

SecTools Episode 01

Michael Boelen

Ryan Dewhurst
19
May

SecTools Episode 04

Ryan Dewhurst

Didier Stevens
29
Apr

SecTools Episode 02

Didier Stevens