Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/21/2018
08:01 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Semmle Launches Globally with $21 Million Series B Investment Led by Accel Partners

Google, Microsoft, NASA and Nasdaq use Semmle's software engineering analytics to secure the software that runs the world

SAN FRANCISCO, August 21, 2018 — Semmle, a software engineering analytics platform, is launching globally today alongside the announcement of its $21 million Series B, led by Accel Partners, and with participation from Work-Bench. Developers and IT leaders at Capital One, Credit Suisse, Google, Microsoft, NASA and Nasdaq trust Semmle to help them create more secure and reliable code without slowing down. The investment, which brings Semmle’s total funding to $31 million, will be used to accelerate its go-to-market efforts serving large technology and financial services companies around the world. As part of the investment, Accel’s Ping Li and Vas Natarajan will join the board of directors.

Building and securing modern software applications and operating systems has become exponentially more expensive and complex to manage. Windows contains tens of millions of lines of code; the software in connected cars includes approximately 100 million lines; and Google’s portfolio of internet services includes about two billion lines. Today, it’s difficult for CIOs and engineers to trust that their code is secure and reliable, and even harder to have a view into who is working on what or where problems exist in the development pipeline. Critical vulnerabilities and 0-days that can expose their customers’ data and do irreparable damage to their brand -- like the Semmle-discovered Apache Struts vulnerability, similar to the one that led to the Equifax breach -- are often imperceptible.

Semmle solves the intractable problem of making code semantically searchable by taking a unique approach that combined two distinct and seemingly incompatible disciplines — object-oriented programming and database logic.  

“The greatest scientific and technological breakthroughs throughout history resulted from combining different disciplines, such as the use of computer science and biology to sequence the human genome,” said Dr. Oege de Moor, CEO of Semmle. “We built Semmle on this same principle, bringing together our 100+ patents in database technology and programming to enable deep semantic code search. With Semmle, CIOs, developers and security researchers can finally answer previously unanswerable questions about their code to find coding mistakes and 0-days that would otherwise be invisible.”

Software Engineering Analytics that Developers Love and CIOs Trust

Semmle’s LGTM analytics platform combines deep semantic code search and data science insights from its community of 500,000 developers to help them better understand their code, engineering processes and people. LGTM stands for, “Looks Good to Me,” a term commonly used by developers to sign off on each other’s work. LGTM is powered by QL, a query engine that lets developers and security researchers turn their source code into searchable relational data in order to spot critical errors and variants virtually impossible to find any other way. The platform also uses AI techniques to present actionable recommendations for improvement to developers and managers, building on the data from the user community.

“My team needs to take advantage of the best tools available to keep Google Ads running and avoid exposing this critical system to risk,” said Google VP of Engineering and Semmle customer Asim Husain. “With Semmle, we are able to track down not only the most serious vulnerabilities, but also their logical variants in our entire codebase so we can shut them down before they shut us down. Semmle is the only solution that can do this and plays an important role in our engineering and security strategy.”

CIOs and development managers also use LGTM’s analytics to see how their engineering teams and individual developers are performing, and can benchmark the vulnerabilities in their code bases against other projects.

Backed by 10 years of development, 100+ Patents and 30+ PhDs

Semmle was co-founded by De Moor, a distinguished computer scientist and 20+ year Oxford professor, and his former PhD students, Pavel Avgustinov and Julian Tibble. Together, they've built a team of more than 60 cross-functional experts: computer scientists, biochemists, astrophysicists, clinical scientists and mathematicians, more than half of whom hold PhDs. The Semmle team spent 10 years researching and creating the solution that is now the QL engine behind Semmle’s LGTM platform; they now hold 82 technology patents, with an additional 25 patents pending.

“The stakes have never been higher for securing the world’s software,” said Accel’s Ping Li. “By making code searchable in a database, Semmle is redefining what’s possible in terms of fidelity of the analysis. It’s why Semmle is already trusted by the most innovative and valuable organizations in the world like Google and Microsoft.”

To learn more about Semmle, please visit https://www.semmle.com.

About Semmle

Semmle secures the software that runs the world with analytics developers love and CIOs trust. Software engineering and security teams at Credit Suisse, Dell, Google, Microsoft, NASA and Nasdaq depend on the Semmle analytics platform to create more reliable and trustworthy code without slowing down. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Copenhagen, New York City, Oxford, Seattle and Valencia, Spain. For more information, visit https://www.semmle.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
11/28/2018 | 5:16:43 AM
When several industry
When several industry giants all come forward to make use of a platform that they deem as appropriate, we all know for sure that there is no doubting it. This is just what they need to emerge together as one united service provider for the greater good of consumerism. They can most definitely label the software as the one outlet to rule the world because that is basically what it actually does.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.