The next-generation static application security testing tools

Hey folks, 👋

Here we go for a comparative between two mindblowing static application security testing engines 🔥 please introduce CodeQL and SemGrep. 🔥

Note on CodeQL that the analysis relates to the GitHub acquisition.

These tools are amazing and literally throw a meteorite on the static analysis tools market. 🦕

Continuous security and developer-first integration

For both, orchestration and automation are a pleasure to build. They have GitHub Actions (1, 2) and local binary to integrate into workflows (3, 4).

Summary of facts

  • Semgrep delivers instant feedback ⚡, whereas CodeQL is asynchronous.

Run application security testing at scale and investigate loots.

Security testing refers to the capability to detect well-known vulnerabilities and weaknesses in software application and infrastructure by running a set of non-deterministic security testing cases. Note that maintaining such power face few scalabilities challenges to

  • secure wide and growing scopes of assets
  • maintain scanning tools and their detection rates
  • keep up with technology stacks where products are built, and
  • collaborate with different engineering cultures.

To succeed an organization willing to enhance its cybersecurity posture should adopt a holistic approach based on automation, data processing, and crowd-sourced security. That’s how we came to build an application security operations center to

Security regression testing is the final piece of a successful vulnerability remediation workflow.

Update August 2, 2020:

Projectdiscovery releases authentication capability.

Among the projects to be achieved by an application security engineer, security regression testing is a continuous security testing workflow to ensure that well-known and fixed vulnerabilities remain resolved after code changes. In the case of a security hole re-emerges, that would be called a security regression and as regression test suites tend to grow with each new issue, automation is mandatory.

To achieve our goal, we want to leverage an awesome project named Nuclei, a web application security scanner based on a highly customizable template-engine offering efficient template writing and…

Automate open-source dependency policy with Dependabot to watch and mitigate security issues in open-source dependencies.

GitHub starts to demonstrate its vision of cybersecurity by integrating tons of security features on its platform. As an application security engineer, I’m excited to work closely with software developers and manage security policies across code base repositories.

About GitHub Dependabot security updates

Dependabot is a bot to watch security vulnerability in open-source dependencies (disclosed from WhiteSource Vulnerability Database) and programmatically enforce security policy to keep dependencies up to date. Combine with Actions it offers powerful automation to maintain vulnerability-free dependencies in realtime.

A look at opportunities to make money with crowd-sourced and community-based cybersecurity.

Ethical hacking is an incredible activity to make quick bucks. At the cutting edge of new forms of work, Cybersecurity activities provide, for a part of us, flexibility of work but less guarantee of a payout. If you’re a talented genius, it could be a game-changer and the path to a success story.

1Report vulnerabilities on bug bounty programs 🐝
Farming bug bounty programs is the trending way to make big money.
Lots of wealthy programs are paying hundreds of dollars for low-hanging fruits and the industry meets mass-adoption across the globe.

Beginners could easily onboard on bug bounty platforms…

Toufik Airane

Product, Cloud and Application Security Engineer | Building Privacy and Security Features for Applications as a Service. ☂️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store