DEF CON 27 workshop on finding vulnerabilities at scale

Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale

A few weeks ago we hosted our first DEF CON workshop. We’re grateful we had the opportunity to share some of our work with a packed room, and we learned a lot from the experience.

<script async src="" charset="utf-8"></script>

We realize many people didn’t have the chance to attend DEF CON, so we’re sharing the workshop content here as well.

While some of the large-scale infrastructure was created for the workshop and has since been turned off, you should be able to follow the slides and run most of the exercises. And if you want to keep going beyond the guided instructions, let us know and we’ll give you access to our beta platform, where you can continue to hack away.

Here’s the agenda presented at the workshop so you can get an idea of the content:

  • What is program analysis?

  • Current tools available to analyze source

  • Writing your first program analysis

  • Writing a program analysis that actually looks for something interesting

  • Complex analysis and refining the analysis true positive / false positive

A few notes about the exercises:

  • Ignore the VM instructions if you’re using a Mac — the VM was specifically for Linux and Windows users during the workshop

  • If you need additional help, email us at

We really enjoyed the workshop, but don’t worry, we had lots of fun outside the workshop, too:


Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo