The unfortunate reality of the software security industry is that it’s much easier to attack a system than it is to safeguard it. Hackers only need to find one vulnerability to have success, while software developers need to protect their code against all possible attacks.
The asymmetry means that when a solo programmer unwittingly makes a popular app, it quickly becomes a vulnerable fish in an ocean of threats. Larger companies have software security teams, but they’ve developed a reputation among developers for slowing down deployments as they painstakingly review lines of code to safeguard against attacks.
Now the startup r2c is seeking to make securing software a more seamless experience with an open-source tool for proofreading code. In the same way that Grammarly finds grammatical errors or opportunities for improvement in essays and emails, r2c’s tool, called Semgrep, parses lines of code to check for thousands of potential bugs and vulnerabilities.
At the heart of Semgrep is a database of more than 1,500 prewritten rules that security professionals can incorporate into their code scans. If they don’t see one they want, they can write their own rules using r2c’s intuitive interface and add it to the database for others.
“If you know how to program in a language, you can now write rules and extend Semgrep, and that’s where you basically democratize this field that has only been accessible to people with highly specialized skills,” says r2c Head of Product Luke O’Malley ’14, who co-founded the company with Isaac Evans ’13, SM ’15 and Drew Dennison ’13. “Now that anyone can write a rule, you can tap into people’s specialized knowledge of their fields. That’s the big breakthrough. Semgrep is an open-source project that’s by developers, for developers.”
In addition to simplifying the process of implementing code standards, r2c has fostered a community of security professionals who can share ideas and brainstorm solutions to the latest threats. That support ecosystem has proven crucial in a rapidly evolving industry in which security professionals may wake up on any given morning and read about new vulnerabilities exposed by hacks to some of the biggest tech companies on the planet.
“It can be frustrating to see that computers are so insecure even though they’re 40 or 50 years old,” Dennison says. “I like to remind myself of automobiles. Sixty years into the automotive world we still didn’t have seat belts or airbags. It was really when we started measuring safety and having standards that the industry improved. Now your car has all kinds of fancy safety features. We’d love to do the same thing for software.”
Learning to hack
As undergraduates at MIT, Evans, O’Malley and Dennison lived next to each other in Simmons Hall. The three electrical engineering and computer science students soon began hacking together in various campus programs and side projects. Over the Independent Activities Period of 2011, they landed a contract to help military personnel in the Army use apps on Android phones more securely.
“That really cemented our roles because Drew played CTO of the project, Isaac was CEO, and I was doing product work, and those are the roles we fell into with r2c,” O’Malley says. “It wasn’t officially a company, but we gave ourselves a name and treated it like we were a startup.”
All three founders also took part in the Gordon-MIT Engineering Leadership (GEL) Program.
“GEL really helped me think about how a team works together, and how you communicate and listen,” Dennison says. “It also gave me people to look up to. Joel Schindall [MIT’s Bernard M. Gordon Professor in Product Engineering] was a great mentor. I asked him if we should turn the Army thing into a startup, and his advice was sound. He said, ‘Go make mistakes on someone else’s dime for a few years. There’s plenty of time.’”
Heeding that advice, the founders went their separate ways after graduation, joining different companies but always keeping their successful collaborations in the back of their minds.
In 2016, the founders began exploring opportunities in the software security space. At MIT, Evans had written his master’s thesis on advanced software security techniques, but the founders wanted to build something that could be used by people without that deep technical knowledge.
The founders explored several different projects relating to scanning code before an internal hackathon in 2019, when a colleague showed them an old open-source project he’d worked on while at Facebook to help analyze code. They decided to spend the hackathon reviving the project.
The founders set out to add breadth to the tool by making it compatible with more languages, and depth by enabling it to understand code at higher levels. Their goal was to make Semgrep fit seamlessly into existing security workflows.
Before new code is deployed by a company, it typically gets reviewed by the security team (although the founders say security experts are outnumbered 100 to one by developers at many companies). With Semgrep, the security team can implement rules or checks that run automatically on the code to flag potential issues. Semgrep can integrate with Slack and other common programs to deliver the results. It works with over 25 coding languages today relating to mobile, back end, front end, and web development coding.
On top of the rules database, r2c offers services to help companies get the most out of the bug-finding engine by ensuring every codebase is scanned for the right things without causing unnecessary delays.
“Semgrep is changing the way that software can be written, so suddenly you can go fast and be secure, and that just hasn’t been possible for most teams before,” O’Malley says.
A network effect
When a major vulnerability to a widely used software framework known as Log4Shell was exposed recently, r2c’s community Slack channel came alive.
“Everyone was saying, ‘Okay, here’s a new threat, what are we doing to detect it?’” O’Malley recalls. “They quickly said, ‘Here’s variant A, B, C for everyone.’ That’s the power of democratizing rule writing.”
The founders are constantly surprised by where Semgrep is being used. Large customers include companies like Slack, Dropbox, and Snowflake. The ministry of interior for a large state government recently messaged them about an important project they were using Semgrep on.
As Semgrep’s popularity continues to grow, the founders believe they will be able to build out their analytics to give developers insights into the security of their codebases instantaneously.
“The broader security industry doesn’t have a ton of metrics about how well we are doing,” Dennison says. “It’s hard to answer questions like are we improving? Is our software getting better? Are we making progress against the attackers? So how do we get to a point where we can give you a code quality score? Then suddenly you’re making software security simple.”