How Lyft finds security issues that matter with Semgrep

About the security team at Lyft

Lyft’s product security team is responsible for the security of all its products. Their goal is to scale security by shifting left as much as possible through the building of tooling and processes that catch security issues early in the software development lifecycle.

Security before Semgrep

In order to shift left, finding issues specific to their code is very important as it drastically reduces the number of false positive issues surfaced to developers. The higher the number of false positives, the less likely developers can fix issues. Therefore Lyft needed a solution that could support custom rule writing and testing. Before Semgrep, the Lyft security team wrote custom rules with tools that proved to be too time-consuming. This meant spending hours writing rules and validating them. As a result, the Lyft security team realized they needed to be more efficient and began seeking out a SAST solution.

Ease of writing custom rules with Semgrep

The security team at Lyft chose Semgrep because it simplified writing custom rules and covered all coding languages used by Lyft. And, these custom rules enabled Lyft to find issues for its specific code and infrastructure. For example, an application security engineer can go days without needing to write or modify a custom rule, and Semgrep’s rule syntax makes it easy to start writing or modifying rules again. This allows them to spend their time on other pressing projects. Other SAST solutions didn't provide Lyft with this level of expertise, especially as it relates to their complex rule syntax. Lyft also adopted Semgrep because of its support for the necessary CI/CD tools and well-maintained Pro rules.

https://semgrep.dev/r?q=gitlab.bandit.B506

The security team at Lyft customizes rules like this by adding a couple of patterns to catch issues specific to their code

Semgrep Supply Chain helps significantly reduce noise

Lyft was using another product for scanning open source dependencies (SCA), which they found to be extremely noisy - so noisy that they could not surface the findings from that product to developers. With Semgrep Supply Chain’s reachability analysis, the security team at Lyft has more confidence in surfacing SCA findings to developers because they are now actionable. For example, the security team can now ask developers to fix the issues because there is proof that developers use the vulnerable dependencies in their code. Semgrep Supply Chain also points out the exact location and when the code was introduced, making it easy for developers to fix the issue and rule out false positives.

“Semgrep Supply Chain has helped reduce the noise by 95%”

When the Log4Shell vulnerability was announced, the security team at Lyft identified and remediated all instances of Log4Shell immediately. Semgrep Supply Chain helped in finding a non-production, internal instance of Log4Shell in a dependency. The security team at Lyft values the work that Semgrep’s security researchers put into analyzing each CVE and writing reachability rules for them. When a rule can be improved, the feedback process is straightforward and produces quality results.

The Semgrep Supply Chain findings are routed to Lyft’s own open source security graph tool - Cartography. The security team asks the developers to fix only the reachable findings from Semgrep Supply Chain. Thus, Semgrep Supply Chain has enabled the security team at Lyft to reduce the noise with actionable findings and shift left.

Looking forward

The security team is excited to try out Semgrep Assistant— which uses AI to auto-triage security issues and automatically recommend code fixes. Due to the significant time savings because of Semgrep Supply Chain, the security team is looking forward to scaling their security program by tightly integrating Semgrep into their workflow and enabling use cases such as writing more custom rules, improving current rules, and testing them out against all repositories.