An Open-Source Resource for Application Safety

The startup r2c, founded by Startup r2c

The startup r2c helps security professionals scan codebases and identify security vulnerabilities in their software. Pictured are the founders, left to right: Luke O’Malley ’14; Isaac Evans ’13, SM ’15; and Drew Dennison ’13. Credit: Courtesy of r2c, edited by MIT News

At the heart of Semgrep is a database of more than 1,500 prewritten rules that security professionals can incorporate into their code scans. If they don’t see one they want, they can write their own rules using r2c’s intuitive interface and add it to the database for others.

“If you know how to program in a language, you can now write rules and extend Semgrep, and that’s where you basically democratize this field that has only been accessible to people with highly specialized skills,” says r2c Head of Product Luke O’Malley ’14, who co-founded the company with Isaac Evans ’13, SM ’15 and Drew Dennison ’13. “Now that anyone can write a rule, you can tap into people’s specialized knowledge of their fields. That’s the big breakthrough. Semgrep is an open-source project that’s by developers, for developers.”

In addition to simplifying the process of implementing code standards, r2c has fostered a community of security professionals who can share ideas and brainstorm solutions to the latest threats. That support ecosystem has proven crucial in a rapidly evolving industry in which security professionals may wake up on any given morning and read about new vulnerabilities exposed by hacks to some of the biggest tech companies on the planet.

“It can be frustrating to see that computers are so insecure even though they’re 40 or 50 years old,” Dennison says. “I like to remind myself of automobiles. Sixty years into the automotive world we still didn’t have seat belts or airbags. It was really when we started measuring safety and having standards that the industry improved. Now your car has all kinds of fancy safety features. We’d love to do the same thing for software.”

Learning to hack

As undergraduates at MIT, Evans, O’Malley and Dennison lived next to each other in Simmons Hall. The three electrical engineering and computer science students soon began hacking together in various campus programs and side projects. Over the Independent Activities Period of 2011, they landed a contract to help military personnel in the Army use apps on Android phones more securely.

“That really cemented our roles because Drew played CTO of the project, Isaac was CEO, and I was doing product work, and those are the roles we fell into with r2c,” O’Malley says. “It wasn’t officially a company, but we gave ourselves a name and treated it like we were a startup.”

All three founders also took part in the Gordon-MIT Engineering Leadership (GEL) Program.

“GEL really helped me think about how a team works together, and how you communicate and listen,” Dennison says. “It also gave me people to look up to. Joel Schindall [MIT’s Bernard M. Gordon Professor in Product Engineering] was a good mentor. I requested him if we need to turn the Military matter into a startup, and his advice was sound. He mentioned, ‘Go make blunders on an individual else’s dime for a number of yrs. There’s a great deal of time.’”

Heeding that assistance, the founders went their individual ways right after graduation, joining various businesses but constantly preserving their successful collaborations in the back of their minds.

In 2016, the founders began checking out chances in the computer software stability place. At MIT, Evans had created his master’s thesis on advanced software package stability methods, but the founders needed to establish a little something that could be utilised by people today devoid of that deep complex understanding.

The founders explored many distinctive projects relating to scanning code right before an inner hackathon in 2019, when a colleague showed them an aged open up-source undertaking he’d labored on whilst at Fb to assistance examine code. They resolved to spend the hackathon reviving the venture.

The founders established out to add breadth to the instrument by earning it suitable with far more languages, and depth by enabling it to have an understanding of code at bigger amounts. Their aim was to make Semgrep fit seamlessly into current security workflows.

Ahead of new code is deployed by a company, it usually receives reviewed by the security crew (even though the founders say protection industry experts are outnumbered 100 to 1 by developers at many companies). With Semgrep, the safety crew can put into practice guidelines or checks that operate automatically on the code to flag possible troubles. Semgrep can combine with Slack and other typical courses to provide the success. It works with more than 25 coding languages nowadays relating to cell, back stop, front close, and internet enhancement coding.

On prime of the regulations databases, r2c presents services to support businesses get the most out of the bug-getting motor by ensuring each individual codebase is scanned for the right things without having producing avoidable delays.

“Semgrep is shifting the way that computer software can be penned, so all of a sudden you can go rapid and be secure, and that just hasn’t been probable for most teams prior to,” O’Malley states.

A community impact

When a main vulnerability to a widely applied computer software framework acknowledged as Log4Shell was exposed not too long ago, r2c’s group Slack channel arrived alive.

“Everyone was declaring, ‘Okay, here’s a new danger, what are we carrying out to detect it?’” O’Malley remembers. “They rapidly explained, ‘Here’s variant A, B, C for anyone.’ That is the energy of democratizing rule creating.”

The founders are regularly surprised by where by Semgrep is remaining made use of. Large prospects contain firms like Slack, Dropbox, and Snowflake. The ministry of inside for a large condition government lately messaged them about an critical challenge they had been working with Semgrep on.

As Semgrep’s popularity carries on to increase, the founders believe that they will be ready to construct out their analytics to give developers insights into the stability of their codebases instantaneously.

“The broader protection business does not have a ton of metrics about how well we are performing,” Dennison suggests. “It’s tricky to response inquiries like are we strengthening? Is our software acquiring superior? Are we generating progress towards the attackers? So how do we get to a point the place we can give you a code quality rating? Then out of the blue you’re earning software program stability very simple.”