BSidesSF 2022

Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up.

This workshop will be a hands-on masterclass of using Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool, to do just that.

We’ll cover:
* How to use Semgrep to start getting security coverage of all of your repos continuously in CI in minutes
* Best practices in rolling out continuous code scanning -- what to focus on, what to ignore, and how to maintain good working relationships with development teams
* How to use this scanning to enforce secure defaults across your org
* How to write custom Semgrep rules -- find anti-patterns and enforce security best practices unique to your organization
* Advanced mode: We’ll also show how Semgrep can be used like a Swiss army knife for a variety of purposes -- alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management

You’ll leave this workshop with knowledge and skills you can immediately put into practice. For internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug finding game to a new level.

Prerequisites:
* You should be familiar reading and writing code in at least one programming language
* Bring a laptop with a web browser, IDE, git, and the ability to install CLI tools
* Familiarity with common vulnerability classes (e.g. OWASP 10 top) will be helpful but is not required