In security, ‘variant analysis’ is the process of searching for variants of known vulnerabilities. This used to be done with grep and painstaking manual code audits, but it can be automated with a powerful semantic query language like CodeQL. The idea of such a query language had been around in academic research for a long time, but we had to create a startup named Semmle to make CodeQL reality. Semmle was acquired by GitHub in September 2019. I’ll show with a few in-depth examples how security researchers have used the CodeQL product to find and fix many vulnerabilities in popular open source projects. I’ll also discuss why the focus on variant analysis was a critical step in making Semmle a successful startup company. Finally, I’ll explain why the experience of creating Semmle and CodeQL convinced me that blue skies research goes fastest with user needs driving the research agenda.
Oege de Moor is the CEO and Founder of Semmle. Semmle’s mission is to secure the software that runs the world. From 1994 to 2014, Oege was a professor of computer science at the University of Oxford, where he did research in programming languages and tools. Semmle’s products are used by Microsoft, Google, NASA, NASDAQ, Credit Suisse, Dell, and many other leading software organisations. It has offices in Oxford, Copenhagen, Valencia, New York, San Francisco and Seattle. The technology at Semmle is a fun combination of deep theory (if you like lattice theory, you’ll like our engine), good engineering (making it work on some of the largest code bases on the planet) and cool applications (like the 0-days we report in open source). Semmle is always on the look-out for new team members.