The Boring AppSec Podcast S2E05 - Drew Dennison

The fifth episode of Season 2 is out now! In this episode, we chat with Drew Dennison. Drew is the Co-Founder and CTO of Semgrep. Drew was an entrepreneur in residence with Redpoint Ventures, where he incubated Semgrep. Prior to that, Drew was a forward deployed software engineer at Palantir.

Below are some of the key takeaways from the episode.

Key Takeaways

• Semgrep is a code security tool focused on custom rules.
• The importance of understanding user problems in product development.
• Open source tools can democratize access to security solutions.
• The evolution of static analysis tools has improved user experience.
• Insights from the defense sector highlight the asymmetry in cybersecurity.
• Companies often overlook basic security hygiene in favor of advanced solutions.
• The modern application stack requires a holistic security approach.
• 100% code coverage is now achievable with modern tools.
• Community contributions enhance the effectiveness of open source projects.
• The architecture of software development has shifted towards microservices. User data doesn't go any deeper than this in our stack.
• The convergence of static analysis, software composition analysis, and secret scanning is notable.
• At the technology level, we think of it as all basically the same problem.
• We always knew we wanted to have an enterprise component for it.
• We recognized early that LLMs were going to be the future of security.
• Generative AI can help automate rule writing and prioritization.
• Contextualization in security is essential for effective rule application.
• The Semgrep Assistant aims to enhance developer trust and confidence.
• AI will complement human roles rather than replace them in security.
• Automation in security processes is crucial, similar to aviation.

We hope you tune in and, if you like the episode, please do subscribe!