Original Post: A day in the life: Supply Chain Security Researcher
This content outlines a typical day for a Semgrep Security Researcher on the Software Supply Chain (SSC) Team. It explains how they evaluate and prioritize security vulnerabilities in open-source software packages. Their tasks include writing Semgrep rules to help users address critical issues, manually reviewing high and critical severity advisories, leveraging data science to improve coverage, and using internal tools for automating rule writing processes.
Key steps in their process are:
- Analysis: Understanding the vulnerability and identifying the vulnerable code.
- Rule Construction: Writing specific rules to match the analysis.
- Rule Testing: Ensuring the rules work correctly without false positives or negatives.
The post shares examples of well-written advisories that facilitate their work and those that require more intense scrutiny. It emphasizes the importance of detailed advisories and mentions a talk one of their researchers gave on this subject. The content concludes with an invitation to join their 2025 Summer Internship Program and ways to provide feedback or engage with the team via their Careers Page, contact link, or Community Slack Channel.
Go here to read the Original Post