::: left till the conference

Company wide SAST

45 min
Defensive Track

At Yandex, the developers have a wide range of VCS and CI/CD systems, and the security team has more than a dozen tools. For static analysis, we have commercial, open source, and proprietary tools. But without a single entry point, the tools would have poor coverage, high false-positive rate, and low bus factor.

To solve these problems, we developed the imPulse orchestrator meant to unify analyzers’ startup processes, handle reports, and triage operations.

imPulse supports the traditional scenario of scheduled scans as well as security audits by request inside CI/CD systems. A single interface to work with static analysis tools allows us to find related problems and vulnerabilities specific to Yandex in the entire code base. To do this, we use analyzers like Semgrep and CodeQL. In this presentation, we will tell you about the problems we face and where we get ideas for custom rules.

Aleksei Meshcheriakov
Alexander Kaleda
Evgenii Protsenko
Other Reports
Web Village
HotPics 2021
Main Stage
Lateral movement automation
Web Village
Hacker adventures on dating websites