Semgrep raises $53M to help developers detect vulnerable code

Semgrep raises $53M to help developers detect vulnerable code

Posted on

Semgrep Inc., a startup with a popular code security platform of the same name, today disclosed that it has raised $53 million in funding.

Lightspeed Venture Partners led the Series C investment. Felicis Ventures, Redpoint Ventures and Sequoia Capital contributed as well.

Before developers release new code to production, they scan it for vulnerabilities using so-called SAST, or static application security testing, tools. Semgrep offers one of the most popular SAST platforms on the market. Its platform is used by development teams at Snowflake Inc., Dropbox Inc., Shopify Inc. and other major tech firms. 

Semgrep can determine whether a piece of code contains known vulnerabilities such as those tracked in the CVE cybersecurity database. It’s also capable of checking an application’s susceptibility to common hacking  tactics. A developer could, for example, use Semgrep to identify if an application may be vulnerable to SQL injections.

Software teams can extend Semgrep by creating custom detection rules. A detection rule is a script that checks whether a piece of code meets certain technical criteria. Developers can customize Semgrep to detect not only new cybersecurity flaws, but also other issues such as code snippets that don’t adhere to company best practices.

“Unlike most black-box scanners, Semgrep puts engineers in charge: they can transparently view the rules that alerted the vulnerabilities and make sense of them,” Semgrep founder and Chief Executive Officer Isaac Evans wrote in a blog post. “They can also quickly write a new rule, edit an existing rule, or use one of the thousands of community rules and fine tune Semgrep to match their specific needs.”

Semgrep monetizes the open-source version of its platform with two commercial editions. They’re known as Semgrep Supply Chain and Semgrep Code, respectively.

Enterprise applications include not only code that a company’s developers produce in-house, but also external modules from the open-source ecosystem. Such modules can potentially contain vulnerabilities. Semgrep Supply Chain, the startup’s first commercial product, automatically scans open-source code for security issues.

There are cases when a vulnerable open-source module may not necessarily represent a cybersecurity risk. Typically, such situations emerge when the part of the module that contains a vulnerability is not used by the application in which it’s installed. Such dormant security issues often cause cybersecurity tools to generate false positives. 

Semgrep Supply Chain can automatically identify if an open-source vulnerability is dormant. It then priorities more urgent software flaws that do pose a cybersecurity risk, helping developers address the most pressing issues first. Semgrep says that the tool can reduce false positives by up to 98% in some cases.

The startup’s other commercial offering is Semgrep Code. It’s designed to find vulnerabilities in application code that a company produces in-house, as opposed to components from the open-source ecosystem.

Semgrep Code includes prepackaged vulnerability detection rules not available in the open-source version of the startup’s platform. Additionally, it provides more detailed data about the vulnerabilities that it finds. Semgrep Code can uncover if malicious input entered into one part of an application may compromise the security of another component.

Semgrep told TechCrunch that its commercial products experienced 750% growth in the past year, but didn’t share absolute numbers. The startup will use its newly announced funding round to further grow its market presence. To support the effort, Semgrep reportedly intends to hire 50 new employees by the end of the year.

Image: Semgrep

Your vote of support is important to us and it helps us keep the content FREE.

1-click below supports your our mission for providing free content.  

Join Our Community on YouTube

Join the community that includes over 15k #CubeAlumni of experts including CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

“TheCUBE is an important partner to the industry, you know, you guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *