Semmle Goes Global With Software Engineering Analytics Platform

Semmle's LGTM platform enables organizations to analyze and identify security issues in code.


Software engineering analytics platform provider Semmle announced its global launch on Aug. 21, alongside new funding to help the company grow its technology.

Semmle announced it has raised $21 million in a Series B round of funding, led by Accel Partners with participation from Work-Bench. Total funding to date for Semmle stands at $31 million. The company has two core products, LGTM and QL, which are already widely used by developers to help validate code and identity potential vulnerabilities.

"Software systems today are huge and complex and because of that, every business has a huge blind spot for vulnerabilities that exist in their code today," Oege de Moor, CEO of Semmle, told eWEEK. "Semmle secures the software that runs the world by offering a software engineering analytics platform which helps CIOs and developers alike to understand the code, processes and people that have created these huge and complex systems."

De Moor, who had previously spent 21 years teaching computer science at Oxford University, started Semmle in 2006. Among the organizations that use Semmle's technologies are Google, NASDAQ and Credit Suisse.

"Most of our engineering team is in Oxford as we're a spinout of Oxford University in England," de Moor said. 

Semmle has also had some limited development teams in the U.S. and is now looking to grow globally, he added.

Key Products

The QL code query engine enables Semmle to perform various analysis on software code, according to Pavel Avgustinov, vice president of platform engineering and co-founder of Semmle. In addition, with QL it's possible to encode the analytics and searches of the source code, so that common searches can be repeated, he said.

"QL is what you would use if you're trying to find new vulnerabilities or variants of existing ones," Avgustinov told eWEEK. "Everything we do in QL leads to the analytics we provide, including measures of code quality and vulnerabilities."

Avgustinov said that all of the QL code is open-source and freely available on GitHub, so that security experts from the broader community can contribute to the code and make it better.

The LGTM analytics platform, which is an acronym for Looks Good To Me, is the broader platform and currently has a public instance that analyzes over 80,000 open-source projects on GitHub, looking at every code commit, providing analytics and insights. Avgustinov said that Semmle's customers use LGTM to make their own developers more productive.

Static Analysis

Code analysis is not a new thing in the software development world, with multiple technologies providing what is known as static analysis of code, including Micro Focus Fortify and Synopsys Coverity.

De Moor said Semmle is different from static analysis vendors in the sense that it is extensible and enables developers to add new types of code analysis. Avgustinov noted that QL performs static analysis, meaning it looks at the source code for a given application.

"The way that it's used in practice by the security response teams at high tech customers is that they often will use other techniques as well, including dynamic techniques like fuzzing," Avgustinov said.

Dynamic analysis is different from static in that it looks at running code. With fuzzing, developers throw miscellaneous inputs at running code in an attempt to trigger an exploitable error condition. Avgustinov said that once developers have identified vulnerabilities through different dynamic techniques, what often happens is they come to QL to encode the patterns that led to those vulnerabilities. He added that companies will then search their static code with the encoded pattern and find every other place where the same flaw occurs in the source code.

As an example of how the combination of static and dynamic analysis can work together, Avgustinov noted that Semmle recently started to work with a financial institution that had just gone through a penetration testing exercise in which a pair of critical vulnerabilities were discovered. Working with the financial services company, Avgustinov encoded in QL the problems that led to the critical vulnerabilities and was able to find an additional 44 instances of the same flaw that the penetration test had not discovered.

"That's not necessarily an indictment of the penetration test," he said. "There's just so much code and it's so complex and expensive that you just can't have a complete overview unless you have something like Semmle QL, which allows you to very quickly perform semantic searches and do so at a very large scale."

Looking forward, de Moor said Semmle is working on making use of data science to better prioritize the findings in LGTM. In addition, work is ongoing to expand the scalability of Semmle's platforms, he said.

"We want our analysis to run as fast as possible and not to slow developers down," de Moor said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.