Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Development

    Semmle Goes Global With Software Engineering Analytics Platform

    By
    SEAN MICHAEL KERNER
    -
    August 21, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Semmle

      Software engineering analytics platform provider Semmle announced its global launch on Aug. 21, alongside new funding to help the company grow its technology.

      Semmle announced it has raised $21 million in a Series B round of funding, led by Accel Partners with participation from Work-Bench. Total funding to date for Semmle stands at $31 million. The company has two core products, LGTM and QL, which are already widely used by developers to help validate code and identity potential vulnerabilities.

      “Software systems today are huge and complex and because of that, every business has a huge blind spot for vulnerabilities that exist in their code today,” Oege de Moor, CEO of Semmle, told eWEEK. “Semmle secures the software that runs the world by offering a software engineering analytics platform which helps CIOs and developers alike to understand the code, processes and people that have created these huge and complex systems.”

      De Moor, who had previously spent 21 years teaching computer science at Oxford University, started Semmle in 2006. Among the organizations that use Semmle’s technologies are Google, NASDAQ and Credit Suisse.

      “Most of our engineering team is in Oxford as we’re a spinout of Oxford University in England,” de Moor said. 

      Semmle has also had some limited development teams in the U.S. and is now looking to grow globally, he added.

      Key Products

      The QL code query engine enables Semmle to perform various analysis on software code, according to Pavel Avgustinov, vice president of platform engineering and co-founder of Semmle. In addition, with QL it’s possible to encode the analytics and searches of the source code, so that common searches can be repeated, he said.

      “QL is what you would use if you’re trying to find new vulnerabilities or variants of existing ones,” Avgustinov told eWEEK. “Everything we do in QL leads to the analytics we provide, including measures of code quality and vulnerabilities.”

      Avgustinov said that all of the QL code is open-source and freely available on GitHub, so that security experts from the broader community can contribute to the code and make it better.

      The LGTM analytics platform, which is an acronym for Looks Good To Me, is the broader platform and currently has a public instance that analyzes over 80,000 open-source projects on GitHub, looking at every code commit, providing analytics and insights. Avgustinov said that Semmle’s customers use LGTM to make their own developers more productive.

      Static Analysis

      Code analysis is not a new thing in the software development world, with multiple technologies providing what is known as static analysis of code, including Micro Focus Fortify and Synopsys Coverity.

      De Moor said Semmle is different from static analysis vendors in the sense that it is extensible and enables developers to add new types of code analysis. Avgustinov noted that QL performs static analysis, meaning it looks at the source code for a given application.

      “The way that it’s used in practice by the security response teams at high tech customers is that they often will use other techniques as well, including dynamic techniques like fuzzing,” Avgustinov said.

      Dynamic analysis is different from static in that it looks at running code. With fuzzing, developers throw miscellaneous inputs at running code in an attempt to trigger an exploitable error condition. Avgustinov said that once developers have identified vulnerabilities through different dynamic techniques, what often happens is they come to QL to encode the patterns that led to those vulnerabilities. He added that companies will then search their static code with the encoded pattern and find every other place where the same flaw occurs in the source code.

      As an example of how the combination of static and dynamic analysis can work together, Avgustinov noted that Semmle recently started to work with a financial institution that had just gone through a penetration testing exercise in which a pair of critical vulnerabilities were discovered. Working with the financial services company, Avgustinov encoded in QL the problems that led to the critical vulnerabilities and was able to find an additional 44 instances of the same flaw that the penetration test had not discovered.

      “That’s not necessarily an indictment of the penetration test,” he said. “There’s just so much code and it’s so complex and expensive that you just can’t have a complete overview unless you have something like Semmle QL, which allows you to very quickly perform semantic searches and do so at a very large scale.”

      Looking forward, de Moor said Semmle is working on making use of data science to better prioritize the findings in LGTM. In addition, work is ongoing to expand the scalability of Semmle’s platforms, he said.

      “We want our analysis to run as fast as possible and not to slow developers down,” de Moor said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×