The startup r2c, launched by Startup r2c

The startup r2c helps security professionals scan codebases and identify security vulnerabilities in their software. Pictured are the founders, left to right: Luke O’Malley ’14; Isaac Evans ’13, SM ’15; and Drew Dennison ’13. Credit: Courtesy of r2c, edited by MIT News

At the heart of Semgrep is a database of more than 1,500 prewritten rules that security professionals can incorporate into their code scans. If they don’t see one they want, they can write their own rules using r2c’s intuitive interface and add it to the database for others.

“If you know how to program in a language, you can now write rules and extend Semgrep, and that’s where you basically democratize this field that has only been accessible to people with highly specialized skills,” says r2c Head of Product Luke O’Malley ’14, who co-founded the company with Isaac Evans ’13, SM ’15 and Drew Dennison ’13. “Now that anyone can write a rule, you can tap into people’s specialized knowledge of their fields. That’s the big breakthrough. Semgrep is an open-source project that’s by developers, for developers.”

In addition to simplifying the process of implementing code standards, r2c has fostered a community of security professionals who can share ideas and brainstorm solutions to the latest threats. That support ecosystem has proven crucial in a rapidly evolving industry in which security professionals may wake up on any given morning and read about new vulnerabilities exposed by hacks to some of the biggest tech companies on the planet.

“It can be frustrating to see that computers are so insecure even though they’re 40 or 50 years old,” Dennison says. “I like to remind myself of automobiles. Sixty years into the automotive world we still didn’t have seat belts or airbags. It was really when we started measuring safety and having standards that the industry improved. Now your car has all kinds of fancy safety features. We’d love to do the same thing for software.”

Learning to hack

As undergraduates at MIT, Evans, O’Malley and Dennison lived next to each other in Simmons Hall. The three electrical engineering and computer science students soon began hacking together in various campus programs and side projects. Over the Independent Activities Period of 2011, they landed a contract to help military personnel in the Army use apps on Android phones more securely.

“That really cemented our roles because Drew played CTO of the project, Isaac was CEO, and I was doing product work, and those are the roles we fell into with r2c,” O’Malley says. “It wasn’t officially a company, but we gave ourselves a name and treated it like we were a startup.”

All three founders also took part in the Gordon-MIT Engineering Leadership (GEL) Program.

“GEL really helped me think about how a team works together, and how you communicate and listen,” Dennison says. “It also gave me people to look up to. Joel Schindall [MIT’s Bernard M. Gordon Professor in Product Engineering] was a great mentor. I requested him if we must turn the Army point into a startup, and his guidance was sound. He claimed, ‘Go make issues on an individual else’s dime for a few decades. There’s plenty of time.’”

Heeding that information, the founders went their individual techniques soon after graduation, signing up for different organizations but generally preserving their thriving collaborations in the back of their minds.

In 2016, the founders started discovering chances in the software program security area. At MIT, Evans experienced prepared his master’s thesis on state-of-the-art program protection procedures, but the founders required to construct something that could be utilised by persons with no that deep technical know-how.

The founders explored various diverse projects relating to scanning code ahead of an interior hackathon in 2019, when a colleague showed them an previous open-supply venture he’d worked on whilst at Fb to assistance assess code. They decided to shell out the hackathon reviving the task.

The founders set out to add breadth to the resource by generating it appropriate with far more languages, and depth by enabling it to realize code at larger levels. Their target was to make Semgrep in good shape seamlessly into current security workflows.

Just before new code is deployed by a enterprise, it normally gets reviewed by the stability crew (though the founders say stability authorities are outnumbered 100 to one by developers at numerous corporations). With Semgrep, the protection crew can put into action guidelines or checks that run automatically on the code to flag opportunity troubles. Semgrep can integrate with Slack and other frequent programs to provide the benefits. It operates with around 25 coding languages currently relating to mobile, back end, entrance stop, and internet development coding.

On best of the policies database, r2c gives solutions to enable firms get the most out of the bug-acquiring engine by making sure every codebase is scanned for the appropriate things with no producing pointless delays.

“Semgrep is altering the way that computer software can be prepared, so out of the blue you can go rapid and be secure, and that just hasn’t been achievable for most teams ahead of,” O’Malley suggests.

A network outcome

When a key vulnerability to a extensively used software framework regarded as Log4Shell was exposed a short while ago, r2c’s local community Slack channel arrived alive.

“Everyone was indicating, ‘Okay, here’s a new threat, what are we undertaking to detect it?’” O’Malley recollects. “They promptly claimed, ‘Here’s variant A, B, C for anyone.’ Which is the power of democratizing rule producing.”

The founders are frequently stunned by exactly where Semgrep is remaining utilized. Big shoppers involve corporations like Slack, Dropbox, and Snowflake. The ministry of inside for a large state government a short while ago messaged them about an critical task they were being employing Semgrep on.

As Semgrep’s acceptance carries on to develop, the founders believe they will be capable to develop out their analytics to give builders insights into the stability of their codebases instantaneously.

“The broader stability business doesn’t have a ton of metrics about how perfectly we are undertaking,” Dennison claims. “It’s hard to respond to queries like are we strengthening? Is our computer software finding far better? Are we producing development versus the attackers? So how do we get to a stage exactly where we can give you a code top quality rating? Then suddenly you’re generating software program protection very simple.”