Welcome to the first GolangVan virtual meetup! This meetup is going to be live-streamed at https://www.youtube.com/watch?v=vjmoNQmXAeI. Q&A section is going to happen at YouTube live chat.
In this meetup, Charles Iliya Krempeaux (https://twitter.com/reiver) and Drew Dennison (https://twitter.com/drewdennison) are going to give us talks about top 3 lessons learned about Go and Semantic Grep (https://github.com/returntocorp/semgrep).
---
Speaker: Charles Iliya Krempeaux
Title: Top 3 Lessons Learned Using Go For The Last 7 Years
Abstract:
Learning a new programming language is easy. But mastery of a programming language takes years of experience.
Learn some of those lessons from a software engineer with more than century of experience, who has been programming in Go for the last 7 Years.
Speaker bio:
Charles Iliya Krempeaux (http://changelog.ca) has been in Tech for more than century. Connect with him here https://linkedin.com/in/charlesiliyakrempeaux
---
Speaker: Drew Dennison
Title: DIY Gosec: Detect complex code patterns using semantic grep
Abstract:
We'll discuss a static analysis tool we're developing called Semgrep and compare it to tools like gosec. Semgrep is a tool for writing security and correctness queries on source code (for Go, Python, Java, C, and JS) with a simple grep-like interface. The original author, Yoann Padioleau, worked on Semgrep's predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He's now full time at r2c.
Semgrep is open-source and comes with a registry of OWASP Top 10 security checks. It's ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.
For example, with Semgrep you can:
Simply match function calls
The pattern exec.Command(...) matches exec.Command() called with any arguments or across multiple lines - but not the string "exec" in comments or hard-coded strings because it's aware of the code structure.
Find use of SSLv3
tls.Config{..., MinVersion: $TLS.VersionSSL30, ...}
Find hardcoded JWT tokens
var $X = []byte("...")
...
$TOKEN := jwt.NewWithClaims(...)
...
$Y := $TOKEN.SignedString($X)
Source code: https://github.com/returntocorp/semgrep
Test in your browser: https://semgrep.live/
Speaker bio:
Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Previously at Palantir, he led data-driven cyber insurance platform development and technical incident response on major data leaks for Fortune 100 companies. Drew received his degree in Computer Science from MIT. He lives in SF and spends his free time racing sailboats, camping, and trying to outsmart his two cats.