Follow Datanami:
August 23, 2018

Spotting Bugs in a Searchable Code Database

A stealthy developer of a software analytics engine designed for scanning code to spot security holes and programming glitches surfaced this week with a pair of investors and a strategy for making code searchable in a database.

Aside from solving real-world problems, the approach also helped NASA land a rover on Mars in 2012.

Semmle, which has been working in the background with security teams at Google (NASDAQ: MSFT) and Microsoft (NASDAQ: MSFT) along with NASA, emerged from stealth mode on Tuesday (Aug. 21) with the disclosure of a $21 million funding round led by Accel Partners and Work-Bench, an enterprise technology venture fund. The San Francisco-based startup said the Series B round brings its venture funding total to $31 million.

Semmle is targeting its software analytics engine at enterprise customers unable to afford their own security research teams. The engine is described as allowing users to scour code using semantic queries to spot everything from coding errors to zero-day attacks in which hackers exploit an unknown software vulnerability.

The startup claims its analytics engine makes software code semantically searchable by combining database logic with object-oriented programming in languages such as Python. Semmle’s engine is based on its more than 100 database and programming patents used to develop what it calls “deep semantic code search.”

The startup’s LGTM analytics platform integrates semantic code search with data science techniques drawn from lessons on how code is written.

(LGTM refers to a phrase commonly used among developers when signing off on each other’s work, “Looks Good To Me.” The open source group behind LGTM is credited with spotting a security vulnerability in Apache Struts that contributed last year’s massive Equifax data breach).

The analytics platform is based on a query engine that allows researchers to transform source code into searchable relational data. The combination is touted as allowing developers to spot errors before a new version is released.

In a testimonial, Google’s vice president of engineering, Asim Husain, said the search giant is using the analytics platform to track down errors in source code underlying Google Ads. “We are able to track down not only the most serious vulnerabilities, but also their logical variants in our entire codebase so we can shut them down before they shut us down,” Husain said.

Along with the search giants and the space agency, Semmle said it has previously worked with software developers at Capital One (NYSE: COF), Credit Suisse (NYSE: CS) and the Nasdaq stock exchange.

Semmle’s collaboration with NASA was prompted by the discovery of a “mission-critical” bug in the Curiosity Rover’s flight software discovered in 2012 while en route to Mars. The bug was found in code responsible for the rover’s descent and landing software for executing a risky landing procedure in which the rover would be lowered to the surface using “sky crane.”

Engineers at the Jet Propulsion Laboratory ran a query provided by Semmle and pinpointed the original coding error along with more than 30 variants. Three were deemed critical to Curiosity’s descent and landing software.

NASA’s Curiosity rover landed safely at Gale Crater on Aug. 6, 2012.

Recent items:

Which Programming Language is Best for Big Data?

Python Gains Traction Among Data Scientists