The sad reality of the software security industry is that it is much easier to attack a system than to protect it. Hackers only need to find one vulnerability to succeed, while software developers need to protect their code against all possible attacks.
The asymmetry means that when a solo programmer unwittingly creates a popular application, it quickly becomes a vulnerable fish in an ocean of threats. Large enterprises have software security teams, but they have earned a reputation among developers for slowing deployments as they scrutinize lines of code to protect against attacks.
Now startup r2c is looking to make securing software a more seamless experience with an open-source tool for code review. The same way Grammarly finds grammatical errors or opportunities for improvement in essays and emails, r2c’s tool, called Semgrep, scans lines of code to find thousands of potential bugs and vulnerabilities.
At the heart of Semgrep is a database of over 1,500 predefined rules that security professionals can integrate into their code analyses. If they don’t see the one they want, they can write their own rules using r2c’s intuitive interface and add it to the database for others.
“If you know how to program in a language, now you can write rules and extend Semgrep, and that’s where you basically democratize this area that was only available to people with highly specialized skills,” says Luke O’ Malley, product manager at r2c. ’14, who co-founded the company with Isaac Evans ’13, SM ’15 and Drew Dennison ’13. “Now that anyone can write a rule, you can tap into the expert knowledge of people in their field. This is the big breakthrough. Semgrep is an open source project made by developers, for developers.
In addition to simplifying the process of implementing code standards, r2c has fostered a community of security professionals who can share ideas and brainstorm solutions to the latest threats. This support ecosystem has proven crucial in a rapidly changing industry in which security professionals can wake up any morning and read about new vulnerabilities exposed by hacks at some of the biggest tech companies on the planet.
“It can be frustrating that computers are so insecure even though they’re 40 or 50 years old,” says Dennison. “I like to remember automobiles. Sixty years in the automotive world, we still didn’t have seat belts or airbags. It was really when we started measuring safety and setting standards that the industry improved. Now your car has all kinds of fancy safety features. We would like to do the same for software.
learn to hack
As undergraduates at MIT, Evans, O’Malley and Dennison lived side by side in Simmons Hall. The three electrical engineering and computer science students soon began working together in various campus programs and side projects. During the freelance period of 2011, they landed a contract to help military personnel in the army use apps on Android phones more securely.
“It really cemented our roles because Drew was the technical director of the project, Isaac was CEO, and I was working on the products, and those were the roles we fell into with r2c,” says O’Malley. “It wasn’t officially a company, but we gave ourselves a name and treated it like we were a startup.”
The three founders also participated in the Gordon-MIT Engineering Leadership (GEL) program.
“GEL really helped me think about how a team works together, how you communicate and how you listen,” says Dennison. “It also gave me people to look up to. Joel Schindall [MIT’s Bernard M. Gordon Professor in Product Engineering] was a great mentor. I asked him if we should turn the military into a startup, and his advice was sound. He said, ‘Go and make mistakes at somebody else’s expense for a few years. There is plenty of time.'”
Heeding this advice, the founders went their separate ways after graduation, joining different companies but always keeping their fruitful collaborations in mind.
In 2016, the founders started exploring opportunities in software security. At MIT, Evans had written his master’s thesis on advanced software security techniques, but the founders wanted to create something that could be used by people without that deep technical knowledge.
The founders explored several different projects related to scanning code before an internal hackathon in 2019, when a colleague showed them an old open source project he had worked on at Facebook to help scan the code. They decided to skip the hackathon to revive the project.
The founders set out to expand the tool by making it compatible with more languages, and depth by allowing it to understand code at higher levels. Their goal was to make Semgrep fit seamlessly into existing security workflows.
Before new code is deployed by a company, it is usually reviewed by the security team (although the founders claim that security experts outnumber developers at many companies by 100 times). With Semgrep, the security team can implement rules or checks that automatically run on code to flag potential issues. Semgrep can integrate with Slack and other common programs to deliver the results. It works today with more than 25 coding languages related to mobile, back-end, front-end and web development coding.
In addition to the rule database, r2c offers services to help companies get the most out of the bug finder by ensuring that each code base is scanned for the right things without causing unnecessary delays.
“Semgrep is changing the way software can be written, so suddenly you can go fast and be secure, which just wasn’t possible for most teams before,” O’Malley says.
A network effect
When a major vulnerability to a widely used software framework known as Log4Shell was recently revealed, r2c’s Slack community channel came to life.
“Everyone was like, ‘Okay, here’s a new threat, what are we doing to detect it?’ recalls O’Malley. “They quickly said, ‘Here’s the A, B, C variant for everyone.’ This is the power to democratize rule writing.
The founders are constantly surprised by where Semgrep is used. Large customers include companies like Slack, Dropbox, and Snowflake. The Department of Interior of a large state government recently informed them of an important project for which they were using Semgrep.
As Semgrep’s popularity continues to grow, the founders believe they will be able to expand their analytics to give developers instant insight into the security of their codebases.
“The broader security industry doesn’t have a ton of metrics on our performance,” Dennison says. “It is difficult to answer questions such as are we improving? Is our software improving? Are we advancing against the attackers? So how do we get to a point where we can give you a code quality score? Then suddenly you simplify software security.