::: left till the conference

Company wide SAST

17:35
45 min
Defensive Track

At Yandex, the developers have a wide range of VCS and CI/CD systems, and the security team has more than a dozen tools. For static analysis, we have commercial, open source, and proprietary tools. But without a single entry point, the tools would have poor coverage, high false-positive rate, and low bus factor.

To solve these problems, we developed the imPulse orchestrator meant to unify analyzers’ startup processes, handle reports, and triage operations.

imPulse supports the traditional scenario of scheduled scans as well as security audits by request inside CI/CD systems. A single interface to work with static analysis tools allows us to find related problems and vulnerabilities specific to Yandex in the entire code base. To do this, we use analyzers like Semgrep and CodeQL. In this presentation, we will tell you about the problems we face and where we get ideas for custom rules.

Speakers
Aleksei Meshcheriakov
Alexander Kaleda
Evgenii Protsenko
Share
Other Reports
Main Stage
Chip Red Pill: How we achieved to execute arbitrary [micro]code inside Intel Atom CPUs
Main Stage
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
Main Stage
LPE in Ring -3 / Intel ME
Up