Posts in:

Insights

Insecure Deserialization: Finding Java Vulnerabilities with QL

Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code. We can use QL, the query language of LGTM, to find such deserialization vulnerabilities.

LGTM code quality: Tools to measure quality of your source code

Wouldn't it be great to automatically measure the quality of source code? This post explains how LGTM automatically measures code quality by leveraging its deep analysis of over 130,000 open source projects.

Techtonica and Semmle: How a Facebook Fizz bug bounty is benefiting a non-profit

Learn how Techtonica is using a Facebook Fizz bug bounty, discovered by Semmle researchers, to help train women and non-binary identifying adults in full stack JavaScript development.

The OODA Loops Theory: Tame Your Fragile Code

Github Security Features, Bluekeep, Nginx, and Security News - Semmle on Security

Code as Data: Advanced Techniques for Code Analysis

Open Security: The path to securing Open Source Software

The Community is Our Security Research Team

August 13, 2018

We Owe the World Secure Software

August 13, 2018

How LGTM automatically builds your C/C++ projects

Setting up LGTM.com to build C/C++ projects automatically is a big challenge. This post describes the solution that we've implemented to start building projects and talks about the hurdles still remaining.

Stack buffer overflow in Qualcomm MSM 4.4 - Finding bugs with QL

This post describes how we can use QL to find unsafe uses of copy_from_user - a C function that is used to copy data from user memory into kernel memory. When used incorrectly, it could cause a stack buffer overflow in the kernel.

January 24, 2018

Restlet XXE vulnerability (CVE-2017-14949)

October 17, 2017

Interning at Semmle: Getting Acquainted with QL

September 28, 2017

Open Source vs Proprietary Software: An Analysis Of Code Quality

February 14, 2017

Browse all tags