An Open up-Source Tool for Software Protection

The startup r2c, launched by Startup r2c

The startup r2c helps security professionals scan codebases and identify security vulnerabilities in their software. Pictured are the founders, left to right: Luke O’Malley ’14; Isaac Evans ’13, SM ’15; and Drew Dennison ’13. Credit: Courtesy of r2c, edited by MIT News

At the heart of Semgrep is a database of more than 1,500 prewritten rules that security professionals can incorporate into their code scans. If they don’t see one they want, they can write their own rules using r2c’s intuitive interface and add it to the database for others.

“If you know how to program in a language, you can now write rules and extend Semgrep, and that’s where you basically democratize this field that has only been accessible to people with highly specialized skills,” says r2c Head of Product Luke O’Malley ’14, who co-founded the company with Isaac Evans ’13, SM ’15 and Drew Dennison ’13. “Now that anyone can write a rule, you can tap into people’s specialized knowledge of their fields. That’s the big breakthrough. Semgrep is an open-source project that’s by developers, for developers.”

In addition to simplifying the process of implementing code standards, r2c has fostered a community of security professionals who can share ideas and brainstorm solutions to the latest threats. That support ecosystem has proven crucial in a rapidly evolving industry in which security professionals may wake up on any given morning and read about new vulnerabilities exposed by hacks to some of the biggest tech companies on the planet.

“It can be frustrating to see that computers are so insecure even though they’re 40 or 50 years old,” Dennison says. “I like to remind myself of automobiles. Sixty years into the automotive world we still didn’t have seat belts or airbags. It was really when we started measuring safety and having standards that the industry improved. Now your car has all kinds of fancy safety features. We’d love to do the same thing for software.”

Learning to hack

As undergraduates at MIT, Evans, O’Malley and Dennison lived next to each other in Simmons Hall. The three electrical engineering and computer science students soon began hacking together in various campus programs and side projects. Over the Independent Activities Period of 2011, they landed a contract to help military personnel in the Army use apps on Android phones more securely.

“That really cemented our roles because Drew played CTO of the project, Isaac was CEO, and I was doing product work, and those are the roles we fell into with r2c,” O’Malley says. “It wasn’t officially a company, but we gave ourselves a name and treated it like we were a startup.”

All three founders also took part in the Gordon-MIT Engineering Leadership (GEL) Program.

“GEL really helped me think about how a team works together, and how you communicate and listen,” Dennison says. “It also gave me people to look up to. Joel Schindall [MIT’s Bernard M. Gordon Professor in Product Engineering] was a excellent mentor. I asked him if we really should flip the Army matter into a startup, and his information was audio. He explained, ‘Go make blunders on an individual else’s dime for a handful of years. There’s a good deal of time.’”

Heeding that guidance, the founders went their independent means soon after graduation, signing up for distinct firms but generally maintaining their effective collaborations in the back of their minds.

In 2016, the founders commenced exploring possibilities in the software package security room. At MIT, Evans experienced written his master’s thesis on superior software safety methods, but the founders wished to make one thing that could be used by people devoid of that deep specialized understanding.

The founders explored quite a few distinct assignments relating to scanning code ahead of an internal hackathon in 2019, when a colleague confirmed them an previous open up-supply task he’d worked on though at Facebook to enable examine code. They resolved to commit the hackathon reviving the undertaking.

The founders established out to add breadth to the software by earning it suitable with extra languages, and depth by enabling it to comprehend code at larger stages. Their goal was to make Semgrep fit seamlessly into present security workflows.

Ahead of new code is deployed by a enterprise, it commonly will get reviewed by the stability staff (though the founders say protection authorities are outnumbered 100 to just one by developers at several corporations). With Semgrep, the protection crew can apply guidelines or checks that operate mechanically on the code to flag possible problems. Semgrep can integrate with Slack and other frequent applications to supply the effects. It will work with about 25 coding languages now relating to cell, back end, entrance end, and net growth coding.

On prime of the procedures database, r2c offers expert services to help providers get the most out of the bug-getting motor by making sure every single codebase is scanned for the appropriate points without having triggering needless delays.

“Semgrep is transforming the way that computer software can be written, so all of a sudden you can go quick and be safe, and that just has not been achievable for most teams before,” O’Malley claims.

A community outcome

When a main vulnerability to a commonly utilised software package framework regarded as Log4Shell was exposed recently, r2c’s community Slack channel arrived alive.

“Everyone was stating, ‘Okay, here’s a new danger, what are we undertaking to detect it?’” O’Malley recalls. “They immediately stated, ‘Here’s variant A, B, C for all people.’ That’s the ability of democratizing rule writing.”

The founders are consistently stunned by where by Semgrep is being applied. Huge customers involve organizations like Slack, Dropbox, and Snowflake. The ministry of inside for a substantial condition governing administration recently messaged them about an crucial task they had been utilizing Semgrep on.

As Semgrep’s recognition carries on to develop, the founders believe they will be able to develop out their analytics to give builders insights into the security of their codebases instantaneously.

“The broader stability industry doesn’t have a ton of metrics about how perfectly we are undertaking,” Dennison states. “It’s challenging to answer inquiries like are we improving? Is our program receiving improved? Are we building development towards the attackers? So how do we get to a stage where we can give you a code high quality rating? Then suddenly you’re generating program protection easy.”