Semgrep Raises USD 53M to Assist Developers in Detecting Insecure Code

Highlights:

• Series C funding was led by Lightspeed Venture Partners. Also contributing were Felicis Ventures, Redpoint Ventures, and Sequoia Capital.
• Before releasing new code to production, developers scan it for vulnerabilities with so-called SAST (static application security testing) tools.

Semgrep Inc., a firm having a well-known code security platform with the same name, reported that it has secured USD 53 million in investment.

The Series C funding was managed by Lightspeed Venture Partners. Also contributing were Redpoint Ventures, Felicis Ventures, and Sequoia Capital.

Before releasing new code to production, developers scan it for vulnerabilities with so-called SAST (static application security testing) tools. Semgrep provides one of the market’s most prominent SAST platforms. Its platform is utilized by the development teams of Snowflake Inc., Shopify Inc., Dropbox Inc., and other significant technology companies.

Semgrep can determine if a fragment of code contains known vulnerabilities, such as those documented by the CVE database. It can also assess an application’s susceptibility to common attack techniques. A developer could use Semgrep, for instance, to determine if an application is susceptible to SQL injections.

Custom detection rules can be created by software teams to augment Semgrep. A detection rule is a script that determines whether or not a piece of code satisfies particular technical requirements. Semgrep may be configured by developers to discover not just new cybersecurity problems, but also other concerns such as code snippets that violate organizational best practices.

Isaac Evans, Founder and Chief Executive Officer said, “Unlike most black-box scanners, Semgrep puts engineers in charge: they can transparently view the rules that alerted the vulnerabilities and make sense of them. They can also quickly write a new rule, edit an existing rule or use one of the thousands of community rules and fine-tune Semgrep to match their specific needs.”

Two commercial editions of the open-source version of the company’s platform generate revenue for the business. Semgrep Supply Chain and Semgrep Code are their respective names.

External modules from the open-source ecosystem are included in enterprise applications, in addition to the code that a company’s internal developers produce. Such modules may contain security vulnerabilities. The startup’s first commercial product, Semgrep Supply Chain, autonomously analyzes open-source code for vulnerabilities.

In some circumstances, a vulnerable open-source module may not pose a cybersecurity risk. Typically, such situations occur when the portion of the module containing the vulnerability is not utilized by the installed application. Such inert security issues frequently trigger false positives in cybersecurity tools.

Supply Chain can determine automatically if an open-source vulnerability is inactive. It then prioritizes software vulnerabilities that pose a greater cybersecurity risk, allowing developers to resolve the most pressing issues first. In some cases, the tool can reduce false positives by up to 98%, according to Semgrep.

Semgrep Code is designed to identify vulnerabilities in an organization’s own application code, as opposed to open-source ecosystem components. It includes prepackaged vulnerability detection criteria that are unavailable in the startup’s open-source platform. In addition, it provides additional information about the vulnerabilities it discovers. It can also determine whether malevolent input submitted into one section of an application could compromise the security of another section.

The company informed a leading media house that its commercial products grew by 750% over the past year, but did not provide exact figures. It will utilize its recently announced funding round to expand its market presence. Semgrep reportedly plans to hire 50 new employees by the end of the year to support the initiative.