Discover how our partner r2c is reducing cost, time, and headaches in static testing
The State of Static Application Security Testing (SAST) Until Now
Traditional SAST systems are big, powerful, and for sufficiently scaled enterprise organizations, completely vital. If an org has teams of developers in multiple time zones pumping out code to support internal systems and external products, they need a system to standardize and secure all of it. Each undiscovered vulnerability could cost millions, after all. That’s why such systems are able to justify their price, which is often above a million dollars a year to keep running.
The trouble is that to read all these lines of code and flag their flaws, traditional SAST systems require a massive on-premises footprint and, depending on the repository being scanned, could take days or weeks to work. And at the end of this process, flaws discovered, it’s up to developers and DevSecOps teams to go back to previously committed code to tediously rewrite some or all of it, and put their current projects on the backburner.
But all that goes with the territory. It can’t be helped, right?
The Static Revolution is in Motion
The innovators at r2c disagree, and it’s hard to argue with their results. With their recently-launched tool, Semgrep, they are helping shift static testing further left than ever before. Now developers themselves can use a real-time vulnerability scanning tool right alongside their text editors and check code for errors. They can also include static tests that complete in real-time when code is checked in and create rules that can help standardize best practices across entire organizations.
True Positives and r2c Partner Up
The True Positives team recognized the impact this technology would have, which is why we are proud to be among the first partners for r2c. We’re now offering Semgrep Team Edition to all our customers, which helps teams not only get real time code security enhancements but also allows for unlimited security policies, privately hosted rulesets to help enforce code standardizations, and support from the r2c team. Plus, you get the True Positives targeted value-added services to help midsize and enterprise businesses protect their assets. We’re happy to help your teams implement and integrate Semgrep.
What Does This Change Mean for the Industry
For Developers
Developers get to catch mistakes before they’re committed at the desktop level, saving a ton of headaches on rework and moving tickets back and forth in JIRA. This puts control back in their hands and helps standardize the code between developers across the organization.
For DevSecOps
Product security teams get a much smaller number of issues in their workflow, so they can focus their attention on comprehensive solutions rather than battling every little bug.
For Organizations
Organizations that can’t justify the investment of traditional SAST systems get a fighting chance in the war on security vulnerabilities, protecting their assets the way larger organizations can. Companies who do currently use traditional static testing systems now get to maximize the value of their investment by only bringing the biggest flaws out in more focused scans while benefiting from the agile real-time scans of Semgrep.
What Does the Industry Think So Far?
“These lightweight static analysis methods are really fast and really actionable.”
“Is great because I can create a nice little dictionary of rules and run in my CI-CD pipeline.”
“We have this way to specify an auto fix
- you can reuse those meta variables...
you don’t have to create a bunch of separate documentation.”
About r2c
r2c is a security company backed by Redpoint Ventures and Sequoia Capital, helping bring a robust, supported, and standardized version of the open-source project Semgrep to developers everywhere. Originally built by teams at Facebook to help bake code-level security into their products that support over a billion users, Semgrep is now generally available to even modest teams.
Get a Free Trial & Consultation with True Positives
True Positives is an authorized full-service reseller with decades of experience in traditional SAST products, and we were on the ground floor with r2c as well. When you work with us to source these tools, you get:
Access to the solution through us to get a thorough trial
Enhanced support during the trial
Competitive market pricing if and when you decide to buy
Help available to implement and integrate the tools
