LGTM: Unleash your inner security researcher

Max Schaefer, Lead Software Engineer at Semmle

We’ve all become used to the daily barrage of reports about major security flaws and data breaches in both open-source and proprietary software. Last year alone, tens of thousands of CVEs were assigned, at a rate of almost two CVEs per hour. Unfortunately, security vulnerabilities are notoriously hard to test for, they are out of scope for linters, and even the most attentive code reviewer is bound to miss many of them. So what’s a developer to do?

We believe LGTM is the answer. It is a scalable, programmable static analysis system, which comes with best-in-class security analysis and bug finding tools for C++, C#, Java, JavaScript and Python. All our analyses are written in QL, a high-level object-oriented query language that makes writing deep whole-program analyses and complex security checks a breeze. QL is open to everyone, so you can write your own analyses on LGTM and become a security researcher with super powers. Findings for over 70K open-source projects are already available on LGTM.com, and the number of projects who use LGTM’s automatic code review for pull requests is rapidly increasing.

In this talk, I will show you a few of the most interesting results and CVEs we have found so far. I will briefly explain some of the challenges of doing static analysis at scale and give you a taster of what it's like to use QL. Most importantly, though, I want to inspire you to use LGTM to improve the open source software the entire world has come to rely on by fixing alerts and writing your own analyses!

Max is a Lead Software Engineer at Semmle, where he is in charge of JavaScript and TypeScript analysis. Prior to joining Semmle, Max was a post-doc at IBM Research and an assistant professor at NTU Singapore. He holds a doctorate in computer science from Oxford University.

This event is open to public. Priority will be given to:
• Representatives from Consortium member companies
• Staff at Singapore government agencies
• Staff and full-time students at local Institutes for Higher Learnings (IHLs) and Research Institutes (RIs)
• Invited guests

For enquiries, please contact the Singapore Cybersecurity Consortium.