In Season 2 Episode 5, we talk to Drew Dennison, Co-Founder & CTO @ Semgrep.

We discuss the evolution of Semgrep as a code security tool, its focus on custom rules, and the importance of open source in democratizing application security. Drew shares insights from his entrepreneurial journey, the challenges faced in the early days of Semgrep, and the lessons learned from working in both the defense and civilian sectors of cybersecurity. The conversation highlights the shifting paradigms in application security, emphasizing the need for comprehensive coverage and the integration of modern development practices. In this conversation, Drew discusses the evolving landscape of cybersecurity, emphasizing the importance of custom rules in data security, the convergence of various security practices, and the role of open source in driving community engagement. He also explores the integration of AI and LLMs in code security, highlighting the potential for these technologies to enhance security processes while maintaining the necessity of human oversight. The discussion culminates in insights about the future of Semgrep Assistant and the balance between automation and human expertise in security.

Key Takeaways

- Semgrep is a code security tool focused on custom rules.
- The importance of understanding user problems in product development.
- Open source tools can democratize access to security solutions.
- The evolution of static analysis tools has improved user experience.
- Insights from the defense sector highlight the asymmetry in cybersecurity.
- Companies often overlook basic security hygiene in favor of advanced solutions.
- The modern application stack requires a holistic security approach.
- 100% code coverage is now achievable with modern tools.
- Community contributions enhance the effectiveness of open source projects.
- The architecture of software development has shifted towards microservices. User data doesn't go any deeper than this in our stack.
- The convergence of static analysis, software composition analysis, and secret scanning is notable.
- At the technology level, we think of it as all basically the same problem.
- We always knew we wanted to have an enterprise component for it.
- We recognized early that LLMs were going to be the future of security.
- Generative AI can help automate rule writing and prioritization.
- Contextualization in security is essential for effective rule application.
- The Semgrep Assistant aims to enhance developer trust and confidence.
- AI will complement human roles rather than replace them in security.
- Automation in security processes is crucial, similar to aviation.

Tune in to find out more!

Contacting Drew
* LinkedIn: https://www.linkedin.com/in/drewdennison/
* Semgrep: https://semgrep.dev/

Contacting Anshuman
* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/
* X: ⁠⁠⁠⁠https://x.com/anshuman_bh
* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/
* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya

Contacting Sandesh
* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/
* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans
* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/