Secure Guardrails, with Semgrep!

Secure Guardrails

Change your application security program from reactive to proactive with this course on how to create secure guardrails! Learn all about paved roads, secure defaults, and creating technical controls to ensure your developers stay on the secure path!

Enroll for free

Course curriculum

1. Introduction and course overview
1. Vulnerabilities are still everywhere
2. Traditional SAST tools still use a reactive approach
3. With secure guardrails we can be more proactive
1. We can borrow ideas from the DevOps movement
2. Secure defaults, shift left, and secure guardrails
3. Secure guardrail examples
1. Why customize rules
2. Semgrep analysis architecture
3. Semgrep Playground
1. Writing test code
2. Structure mode
3. The first rule: marking a banned function
4. Enforce the order of API calls
5. Blocklist DES and TripleDES
6. Sec Fetch Metadata headers
1. Problem domain and search language
2. Semgrep under the hood: matches, ranges, and set logic
3. Debugging negative patterns
4. pattern-not versus pattern-not-inside
1. Netflix
1. Enforce controller conventions
2. RSA minimum key size
3. FastAPI path parameters
4. Promote the use of an in-house logger
5. Find secrets with the entropy analyzer
6. Path annotated parameters in FastAPI
1. Think long-term, high impact
2. Building scalable solutions and measuring adoption
3. Drive adoption
1. Remediation guidance increases developer interaction
2. Use addSecureCookie to configure cookies correctly
3. Secure cookies in pyramid
4. AST-based autofix
5. Replace a single argument value
1. Dataflow analysis terminology
2. Our first taint mode rule
3. Do not pass request parameters to Runtime.exec
4. Path traversal in Python Flask
5. Path Traversal in Go
6. SQL injection in Java
1. Ruamel YAML parser in Python
2. Parsing XML with DocumentBuilderFactory in Java
3. Ensure cryptographic random data
1. Conclusion

About this course

Free
45 lessons
3.5 hours of video content

Discover your potential, starting today

Enroll today

Secure Guardrails

Course curriculum

Introduction

[WHY secure guardrails?] Security must scale

[WHAT are secure guardrails?] Make the secure way the easy way

Introduction to Semgrep

[Exercises] Writing Semgrep rules

[Exercises] Semgrep matching behaviour

[WHO uses secure guardrails?] Success stories

[Exercises] Semgrep metavariable operators

[HOW to start with secure guardrails?] Think long term, high impact

[Exercises] Semgrep autofix

[Exercises] Introduction to taint mode

[Exercises] Taint mode for experts

Conclusion

About this course

Discover your potential, starting today