tips and tricks

My Very, Very, VERY HONEST Internship Experience @ Semgrep

I interned at Semgrep, an application security company. This blog post is about how my Semgrep internship debunked startup stereotypes, offering balance and rich learning experiences. It reshaped my perspective, leaving me eager for a future in the dynamic field of cybersecurity.


Fears and firsts: navigating startup culture

Before joining Semgrep, my professional experience was limited to federal government roles and positions at tech giants like Google. Working at a startup was a new frontier for me, and I admit I had some apprehensions. We often hear about the stereotypes associated with startups – intense deadlines requiring work on weekends and late nights, fewer perks compared to tech giants (no fancy cafeterias, for example), and perhaps a less pleasant work environment. However, my experience at Semgrep completely shattered these notions. The time I've spent at Semgrep has been truly eye-opening and transformative.

Startup surprises: my Semgrep story

Before I continue, allow me to introduce myself: I'm Charissa Kim. I was part of the Semgrep's intern cohort for the summer of '23. I want to affirm that the stereotypes surrounding startups, which initially made me apprehensive, are far from the reality I experienced at Semgrep. With a background in cybersecurity, computer science, and legal studies from the University of California, Berkeley, I was the internal security intern at Semgrep.

Semgrep's streamlined selection: A snapshot of my recruitment process

Amidst the challenges of today's job market, Semgrep stood out with a recruitment and interview process that left a lasting impression on me. It was finely tuned to the role and is one of the most positive recruiting experiences I've encountered. What resonated with me the most was the genuine warmth, courtesy, and passion displayed by everyone I interacted with. Ultimately, I found myself enthused by Semgrep and immediately accepted my internship offer. 

Semgrep summer: shattering startup stereotypes and savoring San Francisco

My summer internship started on June 12, 2023, spanning ten weeks. To begin, Semgrep shattered all my preconceived notions about startups. I was pleasantly surprised by their equipped office space with huge monitors and a breathtaking view. The onboarding process was meticulously organized, ensuring that we, as interns, always felt supported. Our intern cohort struck a perfect balance - not too small, not too large - which fostered close-knit relationships among us. 

While we may not have a cafeteria, like those in large tech firms, I dare say what we do have is even better. Allow me to introduce you to Forkable, an on-demand lunch ordering service. We could select meals from a variety of San Francisco's restaurants. As a huge foodie, this was one of the highlights of my time at Semgrep, and it provided ample opportunities to try new restaurants with fellow interns and colleagues from the office.

charissa blog 2

And let's address the misconception about grueling, never-ending work hours—nothing could be further from the truth. While everyone at Semgrep is undeniably hard-working, the idea of "finance bro" hours, from 9 AM to 9 PM, is simply not the norm. The company is incredibly flexible with work hours, allowing me to adhere to a comfortable 9-to-5 schedule.

charissa blog 4

Projects: strengthening Semgrep's security

Throughout my internship, my primary focus was on GRC (Governance, Risk, and Compliance) and privacy initiatives, which are at the heart of ensuring robust security and regulatory adherence. Specifically, I was tasked with two critical objectives: maintaining our SOC-2 compliance and diligently preparing for GDPR compliance - a pivotal step, particularly in catering to our European user base.

The significance of GDPR compliance cannot be overstated, as it greatly impacts data security and business operations. This became evident when prospective customers inquired about our GDPR status, underlining its relevance to our security and sales endeavors.

One of my central sub-projects involved the creation of an exhaustive customer data catalog. This entailed a meticulous inventory of user data, storage locations, and the custodial teams responsible for data management. I conducted a thorough audit of all Semgrep services, judiciously archiving those no longer in use, and conducted comprehensive assessments of the data they collected. This scrutiny was especially focused on customer data. Categorizing this data into user data, sensitive business data, or public/non-sensitive data was a critical step. This effort culminated in the completion of a Data Protection Impact Assessment (DPIA), a foundational GDPR compliance document that is often requested by our discerning customers.

charissa blog 2

Another pivotal task involved mapping out the intricate data flows within the tools and services employed by our sales and marketing teams. This elaborate diagram provided a granular view of data flow, offering invaluable insights into our go-to-market SaaS services.

Achieving GDPR compliance necessitated the implementation of cookie consent services. My responsibilities encompassed conducting in-depth market research and delving into the myriad strategies adopted by security-focused startups and companies to implement cookie consent mechanisms compliant with GDPR. Practical testing and experimentation, including VPN testing, were integral to this process.

Additionally, I actively engaged in various internal security maintenance tasks. This encompassed migrating services as part of our Semgrep rename and overseeing secrets management. Moreover, I had the opportunity to outline content for our security features website page, ensuring that it accurately reflects our commitment to security.

While pivotal in ensuring regulatory compliance, these projects also significantly fortified our security posture. They played a vital role in bolstering our defenses and establishing Semgrep as a trusted entity in the realm of cybersecurity.

Key takeaways: from stereotypes to success

Throughout the ten weeks, I learned, grew, and thrived. I am profoundly thankful for the incredible learning opportunities this internship offered and the invaluable experiences that will shape my future endeavors. Exploring different aspects of Semgrep and the security industry, I experienced significant personal and professional growth. Beyond these projects, my internship provided incredible opportunities for growth and learning in software security. I had the privilege of attending events like BSides San Francisco and BSides Las Vegas, the Diana Initiative, and DefCon. These experiences allowed me to network with brilliant professionals and expand my knowledge base in the security domain. My time at Semgrep proved that stereotypes about startups often don't hold. This experience debunked common misconceptions about grueling hours and a lack of benefits, demonstrating that startups can offer a well-balanced and enriching work environment. Contrary to the stereotype of endless work hours, Semgrep promotes a healthy work-life balance, allowing for flexibility in work hours, which I found invaluable.  My time at Semgrep has been nothing short of transformative, leaving me excited for the road ahead in the dynamic and constantly evolving field of cybersecurity.

P.S. I'm thrilled to share that I've been offered a full-time position as a Security TPM, and I eagerly accepted the role. I'm looking forward to embarking on this new journey of growth and learning, transitioning from an intern to an official full-timer.

P.P.S. It took a lot of self-control to refrain from typing in ALL-CAPS for this blog post.

P.P.P.S. If you want to see what a typical day looks like as a Semgrep intern, check out our TikTok, Instagram, and YouTube @Semgrep, and if you’re interested in software security, try Semgrep for free!

charissa blog


Semgrep Logo

Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.

Code scanning at ludicrous speed

Find bugs and enforce code standards