Semmle at Murex: Securing and modernizing the world's leading capital markets platform
QL and LGTM
As provider of the world’s leading capital markets platform, Murex relies on Semmle to secure the product, secure a flexible architecture, and establish a culture of development excellence.
Semmle is a key lever in transforming the Murex platform and in enabling us to continuously deliver the best products to our customers. The ability by Semmle to take our specific code into consideration is mission critical for us, and Semmle was better positioned than its competitors to achieve this.
As the provider of the world’s leading enterprise capital markets platform, Murex - the second largest independent software provider in France - has exceptionally high standards when it comes to delivering high performing code. With Murex’s financial services software in daily use by over 50,000 users, at customers in 60 countries, across all major geographic regions, a flexible architecture and development excellence are critically important components to the company's mission. However, with a product that has grown over many years to reflect a wide and rich functional scope, comprising many millions of lines of code leveraging many technologies, and with high levels of dependencies deeply integrated, Murex must act proactively to meet its goals. A key factor in doing so is the use of Semmle. Teams and management in Murex classify their use of Semmle in three areas:
Each of these deliver benefits to Murex that align with the strategic objectives of the company.
Since Murex became a Semmle customer in 2009, it has used Semmle for strategic transformations of the Murex platform. Such transformations are owned and mandated centrally in the organization but executed by each of the many development teams. Murex continuously leverages the flexibility provided by Semmle's query technology to create analyses that are highly specific to the Murex code, as well as the particular transformations they are working towards. Gareth Hurley explains:
“Semmle has helped us with some really specific requests, for example in-house frameworks that are an integral part of our platform. Semmle’s expertise is perfectly positioned to create and support dedicated analysis for such a specific technology.”
The quality and accuracy of the results is essential to management and developers at Murex.
“We rely on the results of these queries every day. Murex has several languages, specific frameworks and other complicating factors. Without customizable queries, we would have drowned in false positives. Being able to customize everything ourselves to our specific cases has been crucial.”
For example, in 2015-16 Murex upgraded their core platform from running on 32-bit to 64-bit architectures. It was discovered early on that the move would significantly increase the memory required to run the software, due to changes in struct padding. Murex engaged with Semmle to create padding analyses that enabled teams to optimize the memory layout on the new 64-bit architecture across the code line. This resulted in a net reduction of 20% of the memory consumption, benchmarked against the pre-upgrade baseline.
Additionally, Murex is constantly improving its code and currently modularizing the code base into better-defined components. To achieve this, Murex development teams have used custom queries to identify and remove dependencies across the code base, working towards the target architecture. Semmle's approach allowed Murex to track the progress towards modularization, and to focus their effort on specific areas where needed.
While code quality can have many distinct meanings depending on who you ask, in Murex high-quality code always equals secure and efficient code.
Security is of particular importance to a global company like Murex due to regulatory requirements across different markets. To comply with these, and to eliminate security-related software risk, Murex uses LGTM's security analysis. The analysis runs continuously and provides development teams, and the security team, with feedback on security problems during the development phase. It also forms part of the release gate. Gareth Hurley explains the rationale behind choosing Semmle for security in Murex:
“We needed a robust approach to code security that satisfied the requirements regulators and clients, while also integrating well with Murex technologies, tooling and practices. What has been really reassuring is that Semmle could adapt to our use cases and take into account our specific code. When we had a trial of Semmle versus its competitors these competitors could not analyze our specific frameworks and extensions, so obviously all their analyses with control flow would give false positives or miss problems. When Semmle reports a security issue we know that we have to address it. Even where false positives are detected, Semmle work with us to analyse and enhance the relevant queries – whether custom queries or part of the ever-evolving default query-set”.
The Murex Development Standards Team also pays continuous attention to control the code complexity, and its impact on the developers’ feedback loop. The amount of dead code in the codeline is one factor that has been monitored. Here, Murex used Semmle’s dead code analyses — extended with domain-specific knowledge — to identify code that can never be executed and was therefore deemed dead, flagging it for removal.
Developer teams at Murex are encouraged to take charge of their code’s quality proactively. They take this responsibility very seriously, relying on Semmle’s analyses from the inception of a new project to continuously maintain good quality and suggesting refinements to the analyses inspired by their daily work. Gareth Hurley on the approach to code quality:
“Internal teams are using Semmle both for security and to continuously maintain great quality. For example, many are measuring the complexity of code on a day-to-day basis. Semmle’s flexibility allowed an extremely high degree of precision — something that was not addressed by other systems we tried, which therefore failed to have a big impact on what is being delivered by individual teams.”
Murex has worked towards a culture of software development excellence, led by the Development Standards Team. At the core of this culture is the acknowledgement across the company that developers must take responsibility for their code and contributions and be empowered to do so. Semmle is key in this aspect:
“At the very beginning when we licensed Semmle it was really for the developers to be able to do things themselves - to be able to assess the quality and find refactoring opportunities. Importantly, Semmle can integrate with our existing software development lifecycle & tooling. This makes roll-out of the tool to agile teams easier to achieve, while the queries & alerts help to define a measurable ‘definition of done’. In addition, Semmle has helped senior development managers to visualize and measure code & security risks at a global level – e.g. to drive large-scale refactorings and to see the global impact of the local changes.”
The development teams can request custom queries that are context-specific to the code they are working on, simply to make daily work more efficient, and these are provided to them by a Development Standards Team within Murex.
“Queries can be customized to teams’ specific use cases. This allowed teams to identify code conventions and standards specific to their components and to develop specific queries to enforce these standards over time.”
Once the context-specific queries have been created for the teams, the teams first address the issues identified by the queries and then integrate the queries into their ongoing analyses to prevent similar issues from being introduced in the future.
“Semmle has been used by teams to ensure the sustainable quality of their code and it has helped developers adopt a strategy for refactoring legacy code into more modular code. That’s the way we imagined it at the beginning, it is what we have today, and it’s the way that we would like it to be in the future.”