In security, ‘variant analysis’ is the process of searching for variants of known vulnerabilities. This used to be done with grep and painstaking manual code audits, but it can be automated with a powerful semantic query language like CodeQL. The idea of such a query language had been around in academic research for a long time, but we had to create a startup named Semmle to make CodeQL reality. Semmle was acquired by GitHub in September 2019. I’ll show with a few in-depth examples how security researchers have used the CodeQL product to find and fix many vulnerabilities in popular open source projects, and what makes it effective for this purpose. I’ll also discuss why the focus on variant analysis was a critical step in making Semmle a successful startup company. Finally, I’ll explain the factors that must come together to drive the adoption, scalability, and success of such technology.

The discussion and AMA following this talk will be moderated by Satish Chandra.

Aditya Sharad is a Senior Manager of Software Engineering at GitHub. He leads the CodeQL core engineering team, which is responsible for the query language, evaluation engine, and developer tooling for the CodeQL semantic code analysis technology. First at Semmle and later at GitHub, Aditya has extensive experience in both building code analysis technology and teaching the community how to use it to find security vulnerabilities in software. He holds bachelor’s and master’s degrees in mathematics and computer science from the University of Oxford.