This is the entirety of the CFP submission to DEF CON 32
"Supercharge SAST: Semgrep Strategies for Secure Software" is a meticulously designed workshop aimed at introducing participants to the world of Static Application Security Testing (SAST) through the lens of Semgrep, a cutting-edge tool that combines the simplicity of syntax with the power of complex analysis.
Before the Training: Attendees are expected to have a basic understanding of programming concepts and syntax in a programming language such as JavaScript, Python, Go, or C#/Java. While familiarity with common security vulnerabilities (e.g., OWASP Top 10) is beneficial, it is not a prerequisite. To ensure a smooth and productive experience, participants should come equipped with a laptop that has administrative access for software installation. A pre-training checklist, including software installation guides (Semgrep and a preferred text editor/IDE), will be provided to all registered attendees to prepare them for the workshop.
What You Will Learn: This workshop is structured to guide attendees from the foundational concepts of SAST and application security to the practical application of Semgrep for identifying and mitigating security risks in codebases. Participants will:
- Gain an understanding of SAST and its importance in the AppSec ecosystem.
- Learn to navigate Semgrep’s rule syntax and create custom rules tailored to their specific security needs.
- Engage in hands-on exercises to apply Semgrep on real-world code snippets and projects, enhancing their learning through practical application.
- Explore the Semgrep Playground for testing and refining rules in an interactive environment.
- Delve into advanced Semgrep features and techniques for a comprehensive security strategy.
- Understand how Semgrep findings can be leveraged for LLM-based code analysis, taking code security to the next level.
Technical Level and Tools Used: This workshop is tailored for beginner to intermediate skill levels, focusing on practical, actionable insights that participants can immediately apply to their projects. The primary tool used will be Semgrep, supplemented by the Semgrep Playground for online rule testing. Instructions for installing necessary software and accessing online resources will be provided ahead of the workshop.