SecurityOnline: semgrep v1.39 releases: Fast and syntax-aware semantic code pattern search https://securityonline.info/semgrep-fast-and-syntax-aware-semantic-code-pattern-search/ #WebVulnerabilityAnalysis #Programming #semgrep

Secure your Apollo GraphQL server with Semgrep - By Vasco Franco
tl;dr: Our publicly available Semgrep ruleset has nine new rules to detec... https://blog.trailofbits.com/2023/08/29/secure-your-apollo-graphql-server-with-semgrep/ #semgrep

SecurityOnline: semgrep v1.36 releases: Fast and syntax-aware semantic code pattern search https://securityonline.info/semgrep-fast-and-syntax-aware-semantic-code-pattern-search/ #WebVulnerabilityAnalysis #Programming #semgrep

SecurityOnline: semgrep v1.35 releases: Fast and syntax-aware semantic code pattern search https://securityonline.info/semgrep-fast-and-syntax-aware-semantic-code-pattern-search/ #WebVulnerabilityAnalysis #Programming #semgrep

SecurityOnline: semgrep v1.34.1 releases: Fast and syntax-aware semantic code pattern search https://securityonline.info/semgrep-fast-and-syntax-aware-semantic-code-pattern-search/ #WebVulnerabilityAnalysis #Programming #semgrep

SecurityOnline: semgrep v1.33 releases: Fast and syntax-aware semantic code pattern search https://securityonline.info/semgrep-fast-and-syntax-aware-semantic-code-pattern-search/ #WebVulnerabilityAnalysis #Programming #semgrep

I wonder if anyone out there has written a #semgrep rule to catch typos in Go struct tags; something that can find and catch `dyanmodbav:"foo"` or `dynamodb:"foo"` would be super-awesome. Not finding joy in the docs / examples that I can find. Technically doesn't need to be semgrep, but trying to step up from regular grep.

SecurityOnline: semgrep v1.32 releases: Fast and syntax-aware semantic code pattern search https://securityonline.info/semgrep-fast-and-syntax-aware-semantic-code-pattern-search/ @news@lemmy.seedoubleyou.me #WebVulnerabilityAnalysis #Programming #semgrep

🤯

#ChatGPT can generate a (roughly) equivalent #CodeQL rule for a given #Semgrep rule. That's NUTS!

Super excited to see the release of #Semgrep Code. Amazing results with higher coverage, higher confidence and deeper analysis. And on top of that, the new taint traces make it so easy to understand your finding! #sast
See for details:
https://semgrep.dev/blog/2023/announcing-semgrep-code

Better late than never, but I just learned that I have missed the release of DeepSemgrep last year. Global variables support and taint tracking across packages seem pretty useful to eliminate false positives in many cases in larger projects. Has anyone used it in their engagements? Any quirks one needs to be aware of? #Semgrep

https://semgrep.dev/docs/deepsemgrep/deepsemgrep-introduction/

And finally, this is our most successful article this year on the @hnsec blog, by yours truly:

Automating binary #vulnerability discovery with #Ghidra and #Semgrep
https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/

Every time my project has an issue, I write a #semgrep rule for it, preferably with autofix. I just found a few bugs, and truing things up to pass CI again was as easy as running with autofix enabled.

Never do a task more than once that you can convince a computer to do for you

Just published part 3 of my blog series on #Java #Spring Actuators - today, I'm discussing how to find exposed Actuators using dynamic testing with my favorite swiss army knife for web security tests: ffuf.

https://blog.maass.xyz/spring-actuator-security-part-3-finding-exposed-actuators-using-dynamic-testing-with-ffuf

If you missed the previous articlesor don't know what I am talking about: In part 1, I discuss why Spring Actuators can be dangerous if you inadvertently expose them to the internet (https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators), and in part 2 I show you how to use #semgrep to analyze your code for common misconfigurations related to them (https://blog.maass.xyz/spring-actuator-security-part-2-finding-actuators-using-static-code-analysis-with-semgrep). This third article rounds out the attacker side with a look at dynamic testing using #ffuf. Now, on to writing a final article from the perspective of the defender.

#security #bugbounty #redteam

And here’s our #semgrep series published on the @hnsec blog this year:
https://security.humanativaspa.it/tag/semgrep/

Semgrep ruleset for #c #cpp #vulnerability #research
https://security.humanativaspa.it/semgrep-ruleset-for-c-c-vulnerability-research/

Semgrep rules for #PHP #security #assessment
https://security.humanativaspa.it/semgrep-rules-for-php-security-assessment/

Semgrep rules for #Kotlin #security #assessment
https://security.humanativaspa.it/semgrep-rules-for-kotlin-security-assessment/

Amazing to see the work done by the team on #Semgrep!
Adding deeper analysis while keeping it fast is no small feat.

https://r2c.dev/blog/2022/static-analysis-speed/

Amazing to see the work done by the team on #Semgrep!
Adding deeper analysis while keeping it fast is no small feat.

https://r2c.dev/blog/2022/static-analysis-speed/

Beside the powerful usual suspects #Semgrep and #CodeQL, here’s a couple less-known #source code #security scanners that get the job done:

https://github.com/googleprojectzero/weggli

https://github.com/chris-anley/cq

I haven’t tried this one yet, but it looks promising:

https://github.com/CoolerVoid/codewarrior

Happy hacking! :hecked:

In case you missed Ellen Wang's release of #GuardDog - A tool to detect malicious python packages using #semgrep, catch the write up here. It's been very successful at surfacing sneaky packages that make their way to the PyPi registry. #python #malware #oss @datadoghq@twitter.com

Great time this week at #appsecusa by #owasp hearing from folx like @bubblewire about paved road and highways!
@Datadog@twitter.com 's Ellen Wang released an open source tool called #GuardDog from #securitylabs that helps detect malicious python packages using #semgrep.