Secure Guardrails, with Semgrep!

Secure Guardrails

Change your application security program from reactive to proactive with this course on how to create secure guardrails! Learn all about paved roads, secure defaults, and creating technical controls to ensure your developers stay on the secure path!

Enroll for free

Course curriculum

1. Introduction and course overview
1. Vulnerabilities are still everywhere
2. Traditional SAST tools still use a reactive approach
3. With secure guardrails we can be more proactive
1. We can borrow ideas from the DevOps movement
2. Secure defaults, shift left, and secure guardrails
3. Secure guardrail examples
1. Why customize rules
2. Semgrep analysis architecture
3. Semgrep Playground
1. Writing test code
2. Structure mode
3. The first rule: marking a banned function
4. Enforce the order of API calls
5. Blocklist DES and TripleDES
6. Sec Fetch Metadata headers
1. Problem domain and search language
2. Semgrep under the hood: matches, ranges, and set logic
3. Debugging negative patterns
4. pattern-not versus pattern-not-inside
1. Netflix
1. Enforce controller conventions
2. RSA minimum key size
3. FastAPI path parameters
4. Promote the use of an in-house logger
5. Find secrets with the entropy analyzer
6. Path annotated parameters in FastAPI
1. Think long-term, high impact
2. Building scalable solutions and measuring adoption
3. Drive adoption
1. Remediation guidance increases developer interaction
2. Use addSecureCookie to configure cookies correctly
3. Secure cookies in pyramid
4. AST-based autofix
5. Replace a single argument value
1. Dataflow analysis terminology
2. Our first taint mode rule
3. Do not pass request parameters to Runtime.exec
4. Path traversal in Python Flask
5. Path Traversal in Go
6. SQL injection in Java
1. Ruamel YAML parser in Python
2. Parsing XML with DocumentBuilderFactory in Java
3. Ensure cryptographic random data
1. Conclusion

About this course

Free
45 lessons
3.5 hours of video content

Discover your potential, starting today

Enroll today

Course Reviews

Check out what other students have to say!

Excellent blend of theory and practical exercises

J C

This was a great course with a mix of diagrams, explanations and of course practical rule writing. The combination of TDD + Semgrep Playground makes this acc...

This was a great course with a mix of diagrams, explanations and of course practical rule writing. The combination of TDD + Semgrep Playground makes this accessible. The latter stage of the course discusses complex material but the pacing seemed right. Minor things to improve: - the volume is not always consistent between sections - one 8min video is repeated

Read Less

Excellent

Keith Douglas

Recommending this to both cyber security colleagues who need to understand more about cyber security automation and to my developer colleagues who need to un...

Recommending this to both cyber security colleagues who need to understand more about cyber security automation and to my developer colleagues who need to understand more about static code analysis.

Read Less