- Microsoft recently announced it is acquiring San Francisco-based code analysis engine Semmle. These are the details around the deal.
Microsoft recently announced that it acquired Semmle — which is a San Francisco-based code analysis engine that allows developers to write queries that can identify code patterns in large codebases and find vulnerabilities and their variants. And Microsoft is planning to integrate Semmle into its GitHub subsidiary. The terms of the deal were undisclosed.
“Security researchers use Semmle to quickly find vulnerabilities in code with simple declarative queries. These teams then share their queries with the Semmle community to improve the safety of code in other codebases,” said GitHub CEO Nat Friedman in a statement. “Software security is a community effort; no single company can find every vulnerability or secure the open-source supply chain behind everyone’s code. Semmle’s community-driven approach to identifying and preventing security vulnerabilities is the very best way forward.”
Semmle’s products include QL, an automated variant analysis tool to help product security teams deal with critical vulnerabilities. Launched in 2006, Semmle is used by Google, Uber, and NASA. There will not be any disruption to existing customers with this acquisition.
“At Semmle, we aim to secure software, together. Security researchers discover and study new vulnerabilities to diagnose the conditions that made the code vulnerable. They express those conditions as simple queries over code. Those queries can be shared and refined, making it easier to collaborate and eliminate a whole class of vulnerabilities,” wrote Semmle CEO Oege de Moor in a blog post. “Developers see the results of those queries directly in their code reviews, making sure that once diagnosed, a new type of vulnerability is eradicated forever. Developers work together with security researchers to refine queries, creating a virtuous cycle of ever deeper analysis and vulnerability fixes. As a result, consumers of open source get more secure, trustworthy frameworks to build on.”
