Erin Browning

Erin Browning is a computer security researcher. She has worked at Latacora as a senior engineer and HCSC as a red team member. Currently, she works at Slack in product security. She teamed up with @fbz to create the cryptography scarf puzzle for Hushcon 2019.

The speaker's profile picture


Free as in Beer: Building a low cost static analysis program
Erin Browning, Tim Faraci

Static analysis can be expensive, time consuming, full of false positives, a pain in the rear to manage multiple languages, and not very configurable. But no more! At Slack, we’ve designed a static analysis program which utilizes one free, highly configurable tool to scan over 60 different codebases in six languages and has saved us over $700,000 annually. Semgrep, an open source static analysis engine, uses highly configurable rules. Tuning these rules to our specific environment saves developer time while providing useful guard rails against dangerous code patterns. We’ve been able to reduce false positives by over 80%, and we’ve removed rules that don’t apply in our environment. Adding a new codebase to our scanning pipeline adds almost no additional overhead; we merely add one line to a file to enable the scans and review new results. Implementing our program this way has allowed us to meet our compliance requirements while providing a useful, low overhead static analysis program.

The Point
Free as in Beer: Building a low cost static analysis program (Demo Time)
Erin Browning

We will demo tuning static analysis rules to specific environments. Attendees will need to download Semgrep, the static analysis engine our program is based upon, beforehand. We have tuned our rules extensively, which has greatly reduced our false positive rate.

Workshops & Demos
The Lawn - Beta