Semmle at Murex: Securing and modernizing the world's leading capital markets platform
QL and LGTM
As provider of the world’s leading capital markets platform, Murex relies on Semmle to secure the product, secure a flexible architecture, and establish a culture of development excellence.
Semmle is a key lever in transforming the Murex platform and in enabling us to continuously deliver the best products to our customers. The ability by Semmle to take our specific code into consideration is mission critical for us, and Semmle was better positioned than its competitors to achieve this.
As the provider of the world’s leading enterprise capital markets platform, Murex - the second largest independent software provider in France - has exceptionally high standards when it comes to delivering high performing code. With Murex’s financial services software in daily use by over 45,000 users, at customers in 66 countries, across all major geographic regions, a flexible architecture and development excellence are critically important components to the company's mission. However, with a product that has grown over many years to reflect a wide and rich functional scope, comprising many millions of lines of code leveraging many technologies, and with high levels of dependencies deeply integrated, Murex must act proactively to meet its goals. A key factor in doing so is the use of Semmle. Teams and management in Murex classify their use of Semmle in three areas:
Each of these deliver benefits to Murex that align with the strategic objectives of the company.
Since Murex became a Semmle customer in 2009, it has used Semmle for strategic transformations of the Murex platform. Such transformations are owned and mandated centrally in the organization but executed by each of the many development teams. Murex continuously leverages the flexibility provided by Semmle's query technology to create analyses that are highly specific to the Murex code, as well as the particular transformations they are working towards. Xavier René-Corail explains:
“Semmle has helped us with some really specific requests, for example in-house frameworks that are an integral part of our platform. Semmle’s expertise is perfectly positioned to create and support dedicated analysis for such a specific technology.”
The quality and accuracy of the results is essential to management and developers at Murex.
“We rely on the results of these queries every day. Murex has several languages, specific frameworks and other complicating factors. Without customizable queries, we would have drowned in false positives. Being able to customize everything ourselves to our specific cases has been crucial.”
In recent years, Murex has upgraded their core platform from running on 32-bit to 64-bit architectures. It was discovered early on that the move would significantly increase the memory required to run the software, due to changes in struct padding. Murex engaged with Semmle to create padding analyses that enabled teams to optimize the memory layout on the new 64-bit architecture across the codeline. This resulted in a net reduction of 20% of the memory consumption, benchmarked against the pre-upgrade baseline.
Additionally, Murex is constantly improving its code and currently modularizing the code base into better-defined components. To achieve this, the Murex development teams use custom queries to identify and remove dependencies across the code base, working towards the target architecture. Semmle's approach allows Murex to track the progress towards modularization, and to focus effort on specific areas where needed.
While code quality can have many distinct meanings depending on who you ask, in Murex high quality code always equals secure and efficient code.
Security is of particular importance to a global company like Murex due to regulatory requirements across different markets. To comply with these, and to eliminate security-related software risk, Murex uses Semmle's security analysis. The analysis runs continuously and provides development teams, and the security team, with feedback on security problems during the development phase. It also forms part of the release gate. Xavier René-Corail explains the rationale behind choosing Semmle for security in Murex:
“We were under pressure from regulators, and we had to satisfy them. Here, honestly what has been really reassuring is that Semmle could adapt to our use cases, and take into account our specific code. I remember when we had a trial of Semmle versus its competitors, and these competitors could not analyze our specific frameworks and extensions, so obviously all their analyses with control flow would give false positives or miss problems. When Semmle reports a security issue we know that we have to address it.”
The Murex Development Standards Team also pays continuous attention to control the code complexity, and its impact on the developers’ feedback loop. The amount of dead code in the codeline is one factor that is being monitored. Here, Murex uses Semmle’s dead code analyses — extended with domain-specific knowledge — to identify code that can never be executed and is therefore deemed dead, flagging it for removal.
Developer teams at Murex are encouraged to take charge of their code’s quality proactively. They take this responsibility very seriously, relying on Semmle’s analyses from the inception of a new project to continuously maintain good quality and suggesting refinements to the analyses inspired by their daily work. Xavier René-Corail on the approach to code quality:
“Internal teams are using Semmle both for security and to continuously maintain great quality. For example, many are measuring the complexity of code on a day-to-day basis. Semmle’s flexibility allowed an extremely high degree of precision — something that was not addressed by other systems we tried, which therefore failed to have a big impact on what is being delivered by individual teams.”
Murex has worked towards a culture of software development excellence, led by Xavier René-Corail. At the core of this culture is the acknowledgement across the company that developers must take responsibility of their code and of their contributions, and be empowered to do so. Semmle is key in this aspect:
“At the very beginning when we licensed Semmle it was really for the developers to be able to do things themselves. To be able to assess the quality and find refactoring opportunities. Of course we discovered other uses, such as being able to drive massive refactoring.”
The development teams can request custom queries that are context-specific to the code they are working on, simply to make daily work more efficient, and these are provided to them by a Development Standards Team within Murex.
“Queries are customized to each team’s specific use cases. Teams are repeat customers for custom queries, in fact the requests exceed our capacity to provide them. I can’t wait to give teams the ability to write their own queries on the fly and see what’s happening.”
Once the context-specific queries have been created for the teams, the teams first address the issues identified by the queries, and then integrate the queries into their ongoing analyses to prevent similar issues from being introduced in the future.
“Semmle is widely used by teams to ensure the sustainable quality of their code and it helps developers adopt a strategy for refactoring legacy code into more modular code. That’s the way we imagined it at the beginning, it is what we have today, and it’s the way that I would like it to be in the future.”