We follow a rigorous information security program, vendor risk assessment program and an incident response plan. Semgrep is founded on the principle of bringing the power and security of SDLC to the rest of the developer community. Every single member of the team is trained and fully committed to SDLC policy. We have a dedicated security team with 4 engineers and a security and compliance officer.
Core tenets of our security program include:
-Security awareness training -Defined security requirements -Defined metrics for acceptable risk -Threat modeling -Use of modern crypto libraries -Securing 3rd party dependencies -CI/CD pipeline with code review from a peer for every PR -Static analysis on every PR -Unit/integration tests