SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
Semgrep and HackerOne unite to improve code security reviews
Fri, 12th Jan 2024

A recent surge in cyber threats has resulted in almost half of security professionals expressing their frustration due to late testing and elusive vulnerabilities in the early stages of detection by developers.

However, attempts to address these issues and integrate security earlier in the software development lifecycle are on the horizon. Semgrep and HackerOne's PullRequest have announced a collaboration aimed at addressing common scalability issues and complexities associated with static analysis tools in traditional code review.

This innovative partnership intends to redefine the process of code review by making it straightforward and collaborative, tailored specifically for a developer audience. By creating solutions that can quickly deploy high-quality code and resonate with developer language, the collaboration hopes to streamline the integration of development workflows in organisations.

This will be achieved whilst operating natively within pull requests, ensuring no disruption to user velocity. Through a Human-in-the-loop code review process, experts will validate findings, provide context, offer specific remediation and respond to queries.

As leaders in human-powered security, HackerOne's partnership with code security solution Semgrep will merge Semgrep's automated code security tools with expert support from HackerOne PullRequest code reviewers.

Security teams can now analyse code through Semgrep and have PullRequest reviewers validate results to provide recommendations and context. The partnership facilitates human-in-the-loop testing to improve collaboration between security and development teams, thereby increasing the agility, scalability, and accuracy of the entire code review process.

Co-Founder and CEO of Semgrep, Isaac Evans, addressed the challenges presented by friction between development and code security workflows as development assumes more security responsibility. "But for teams to remain agile and secure, security and development must work closely together. Our joint solution keeps both teams in mind, so workflows stay collaborative and quality code ships faster," he stated.

The combined solution offered by Semgrep and HackerOne integrates natively within pull requests and existing workflows, making it a flexible addition that abides by the increasingly collaborative nature of modern development, delivering relevant and actionable results without disrupting work.

Semgrep's static application security testing (SAST), software composition analysis (SCA), and secrets scanning tools reveal security risks, which are then evaluated by PullRequest code reviewers. These reviewers validate reports, provide context, offer specific remediation, and respond to queries enabling teams to act quickly.

Highlighting the need for agile solutions in response to modern development teams, Alex Rice, the founder of HackerOne, concluded, "Our partnership with Semgrep ensures software teams get the right insights at the right time in their existing workflows – all with context from human reviewers, so developers spend more time writing trustworthy code and less time fighting security tools."