Isaac Evans talks about semgrep - a lightweight, offline, open-source, static code analysis tool.

SecTools Episode 20 with Isaac Evans

Isaac Evans
  • Posed on

    Jul 5, 2020

Isaac Evans is the leader of r2c (https://r2c.dev/), a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

Simply match function calls

The pattern exec(…) matches exec() called with any arguments or across multiple lines - but not the string “exec” in comments or hard-coded strings, because it’s aware of the code structure.

Match function arguments

requests.get(..., verify=False, ...) matches
requests.get(url, timeout=3, verify=False)

Supported languages: Python, JavaScript, Golang, Java, more coming.

Other Episodes

Vipin Pavithran
22
Dec

SecTools Episode 26

Vipin Pavithran

Dr. Brian Carrier
13
Mar

SecTools Episode 17

Dr. Brian Carrier

Simon Bennetts
17
May

SecTools Episode 03

Simon Bennetts