Jesus fucking Christ

spectacular

🆕 The full power of Semgrep is now available in GitLab! 🤝 Our collab with 🦊 GitLab makes Semgrep the GitLab SAST analyzer for JS/TS and Python (& more coming)! ➕ Discuss findings in merge requests, access the rule registry, and add custom rules. 👉 r2c.dev/blog/2021/intr…

I am SO proud of all of the work our team has put into bringing Semgrep Supply Chain to life. It has been an amazing experience building this product, working with our incredibly talented team and amazing early customers. PS We're hiring :)

Oh hey- my colleagues at Semgrep just launched: 🚨 Semgrep Supply Chain 🚨 It makes it easy to flag only vulnerable dependencies whose vulnerable methods are *actually called* in your code Reducing noise by 98%-ish Learn more 👇 semgrep.dev/products/semgr…

Travis McPeak Jim Manico from Manicode Security What Semgrep is doing, that I really like, is looking at if the lib is reachable. Idea is that using semgrep to scan too, as well as understanding sources, sinks and data flow, we are better armed at making the decision of if it is exploitable

Woohoooo! We’re hiring, come work with us :)

We’ve saved the best for last! Don’t miss Adam Berman's “When is a vulnerability, not a vulnerability? Overcoming the inundation of noisy security alerts” in 1 hour sched.co/1JrCj

🤔 When is a vulnerability not a vulnerability? Overcoming the inundation of noisy supply chain security alerts BSidesSF talk by Adam Berman

✅ The solution: Reachability Analysis This goes beyond traditional SCA to only flag when you have a dependency at a vulnerable version AND you're using the vulnerable code ➡️ Drastically reduces alerts in practice For operationalizing this approach, ping Adam Berman

Anyway now we know everything about the vuln, we can act upon it or not, if we aren't using that functionality. I've already waxed lyrical about how Semgrep are approaching this with their semgrep.dev/products/semgr… and I think this is game changer

ONE! Ah Ah Ah...

I’m giving a talk next week!

Come and play with the Vamps! docs.google.com/forms/d/183rom…

thank God we kept our graphic designer I was going to hand draw these shouts out :)

I just published my yearly blog! It's about preparing for performance reviews and tracking career growth year round 📈 leif.substack.com/p/consistently…

VU Revolution 2024 Report: Champions (of the 9als bracket)

My talk is live! Thanks for the shoutout Chris Krycho!