FloQast addresses security issues in minutes using Semgrep

About FloQast

FloQast is the leading provider of accounting workflow automation. FloQast helps accounting teams by automating common accounting workflows and helping to streamline and make them more efficient. 

Software security challenges

FloQast uses the MERN (an acronym for MongoDB, Express, React, and Node) stack for most of its applications. The application security team is responsible for securing the entire technology stack. As FloQast continues its tremendous growth, Harrison Richardson (Senior Application Security Engineer at FloQast) expects the addition of new languages to the technology stack. 

Before adopting Semgrep, FloQast scanned their code using a homegrown static analysis tool. The biggest challenge with the homegrown tool was its inability to scale as the technology stack grew. 

FLoQast’s Application Security Engineers used the homegrown tool to write code scanning rules, but adding rules to support new languages involved a lot of heavy technical work. As FloQast continued its growth, Harrison realized the need for a commercial product that would help the security posture scale without affecting productivity.

FloQast meets Semgrep

The ability to reduce false positives by understanding how a tool works was vital in FloQast’s evaluation of different static analysis products. After evaluating a variety of products, Harrison decided to adopt Semgrep because of its simplicity and effectiveness. In addition to the transparency and customizability, the support for 25+ languages offered by Semgrep made Harrison confident about adopting Semgrep so as to get fewer false positives and scale their security program.

Since then, the Application Security team at FloQast has integrated Semgrep into its CI/CD pipeline. Every pull request (PR) goes through a Semgrep check.

Figure 1: An example of how Semgrep integrates with the developer workflow

When a security issue is detected, Semgrep posts a comment on the PR, and the application security team is alerted on Slack. Based on the investigation, one of the application security engineers evaluates if the issue is a false positive or true positive. Depending on the evaluation, the issue is either marked as a false positive or fixed by a developer.

Quick incident response + Ease of managing security policies

FloQast conducts an investigation after finding a critical security issue i.e. an incident. For FloQast, the biggest benefit of Semgrep has been the ability to respond to investigations within minutes.

An application security engineer finds out programmatically how the incident happened. The engineer then creates a regex from a relevant code snippet. This regex is used to write a custom Semgrep rule. 

Figure 2: FloQast engineers use the Editor to write and test custom rules

This custom rule is used to find if there are any new PRs that use the pattern in the rule. If there are, Semgrep blocks them. The security engineers conduct an investigation, fix PRs if required, and then merge them into the main branch. Thus, Semgrep has enabled FloQast to find critical issues, create custom rules, and monitor and address any code that triggers that custom rule - all within a few minutes. The process of securing code within minutes has given peace of mind not only to the application security team but also to the leadership team at FloQast.

FloQast has also benefited from Semgrep’s ease of managing security policies using the Rule Board. Rules can quickly be changed from blocking to non-blocking (and vice versa) by just dragging and dropping them in the respective columns.

Figure 3: The Rule Board helps FloQast easily manage rules

Conclusion

Semgrep has helped the application security team scale its security program to keep up with FloQast’s tremendous growth. Semgrep’s simplicity, transparency, and quick incident response workflow have enabled FloQast to secure its code and thus serve its customers with peace of mind.