Security at Semmle
Semmle believes security is a shared responsibility. Our mission is to secure all software by bringing the security and development communities together.
Nowhere is this more important than with open source software. Every company developing software today is critically dependent on the security of the open source software underpinning their applications. Checking for dependencies and known vulnerabilities is a good start, but it’s not enough. As a community, we must work together to identify the critical vulnerabilities yet to be discovered and openly share our security expertise.
Securing open source software requires a shift in the open source community. Only the largest organizations in the world have the necessary resources to secure their underlying components, and most of this security research is not shared with the wider community, leading to a duplication of effort. Sharing our collective security expertise is imperative if we are to succeed in securing open source software.
Making security expertise shareable is central to the Semmle mission. Our security analyses are publically available in our open source CodeQL repository. Each CodeQL query represents a piece of security knowledge — codified, readable, and executable — ready to be applied to any number of projects. To date, over 1600 queries have been contributed by Semmle and our customers and partners in the fight to secure open source.
All open source developers and maintainers can access these security analyses for free via LGTM.com or the Semmle CodeQL plugin for Eclipse. We encourage anyone with an interest in securing open source software to analyze their project, iterate and improve our existing queries, and openly share your security expertise.
The Semmle Security Research Team works closely with our customers and the open source community to find and report vulnerabilities in widely-used software. Our team explores codebases to find CVEs using the latest technologies available, and we share our findings openly. These findings are used to constantly extend and refine the Semmle query library, which immediately aids in securing the software of both the open source community and our enterprise customers.
Man Yue Mo (front) and Kevin Backhouse (back) from the Semmle Security Research team.
Our team regularly discovers and reports new zero-day vulnerabilities — see the complete CVE list disclosed by the Semmle Security Research Team. To improve software security while minimizing risk to users of vulnerable projects, we take great care to disclose such information responsibly. Such coordinated disclosure requires a careful balance: project developers need time to patch vulnerabilities and warn their users, while waiting too long to publicly announce a security vulnerability increases the risk of an attacker exploiting it before users can protect themselves. See our disclosure policy for more details.
In addition to their expert skills, experience, and effort, the Semmle Security Research Team uses the latest technologies to explore codebases and quickly find new attack vectors. Central to their research is Semmle CodeQL, which allows them to perform variant analysis by codifying the vulnerabilities they have found in one codebase and searching for the same vulnerability in many others. Queries that have wide applicability are merged into the public CodeQL repository, allowing other security researchers and open-source developers to perform and improve variant analysis on their own codebases.
Sample CodeQL query, which was used to find a remote code execution vulnerability in Apache Struts. Read more on the LGTM blog.
In addition to disclosing CVEs, members of the Semmle Security Research Team regularly publish CVE Proof of Concept videos to demonstrate our findings, for example:
We also share insights via technical deep dives on our findings:
If you share our passion for security and vulnerability research, join the Semmle Security Research Team.