Semmle lands $21 million in its bid to automate software
Software quality firm Semmle Ltd. has been toiling in relative anonymity for the past four years, but that hasn’t stopped it from racking up customers such as Capital One, Credit Suisse Group AG, Google Inc., Microsoft Corp. and Nasdaq Inc. Today, it’s launching formally and announcing a fresh $21 million in funding from a group led by Accel Partners LP.
Semmle helps software developers find bugs and security vulnerabilities in code using a combination of complex queries and crowdsourcing. Its LGTM platform compiles code to a relational snapshot database and uses a declarative, object-oriented query language for inspection. The product name is a tongue-in-cheek reference to the common programmer sign-off phrase “looks good to me.”
“Inspection tasks that used to take seven weeks now take 20 minutes,” said Chief Executive Oege De Moor, a former Oxford University professor who started the company with two of his former doctoral students. Semmle says it can also find more bugs and vulnerabilities because its queries search the entire code database. One financial institution that thought it had isolated two serious security problems was able to find 44 more instances in its code base by using queries, De Moor said.
For all the sophisticated tools that have been brought to the discipline of software development, code inspection has changed little over the years. It’s a line-by-line process that relies heavily on the experience of developers to spot errors and security flaws.
When looking for known vulnerabilities, inspectors often have little more than text search at their disposal. As the volume of code grows (Google reportedly maintains 86 terabytes of data comprising 2 billion lines of code), the task quickly outstrips the ability of humans to manage it.
Semmle combines object-oriented programming and database logic to store not just code but information about relationships and dependencies. It uses a SQL-like custom query language called QL to perform complex queries on the data by enabling developers to define a vulnerability in generalized terms that can be applied to look for other problems. QL makes it possible to surface both bugs that are identical to the one specified in a query and logical variations of the same mistake.
Semmle claims its team of 60 cross-functional experts – more than half of whom hold Ph.D.s — have 82 patents on the technology, with an additional 25 pending. Among their achievements was its discovery late year of the Apache Struts flaw, which affected an estimated 65 percent of websites hosted by Fortune 100 companies.
Behind the software is a community of more than a half million developers and testers who contribute their findings to a shared query database, enabling users to benefit from the sleuthing of others. The company said it also uses artificial intelligence techniques to present recommendations for improvement based upon community input.
Semmle has released QL under an Apache open source license and makes its full platform available at no charge to coders working on open-source projects.
The new Series B funding brings Semmle’s total raised to $31 million. As part of the investment, Accel general partner Ping Li and partner Vas Natarajan are joining the startup’s board.
Image: Unsplash
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU