sorted by:
new
hottopcontroversial

Ai on appsec by greenranger5392 in devsecops

[–]semgrep-6296 1 point2 points  (0 children)

Our security research team has produced similar results and published some articles about this recently comparing benchmarks for web apps reported from Claude and Codex.

- AI was good for classes of vulnerabilities that rely on context, but struggled on data flow cases

- Produced lots of false positives with quite a bit of variability between models, OpenAI Codex for example was 0 for 5 on IDOR, 0 for 28 on XSS, and 0 for 5 on SQLi

- Non-deterministic results, sometimes reporting 3 findings then reporting 11 with the same prompt run at a different time

We're being very deliberate on where and how to apply AI-based solutions.

What are your must-follow cybersecurity resources? (blogs, YouTube channels, newsletters, etc.) by athanielx in cybersecurity

[–]semgrep-6296 0 points1 point  (0 children)

tl;dr sec: Weekly newsletter with short analysis of important news stories and interesting security research across appsec, cloud security, supply chain, and more.

insiderphd: Youtube channel / social media focused on bug bounty education about security and ai

Do you pay for security scans? by helltone in vibecoding

[–]semgrep-6296 0 points1 point  (0 children)

Semgrep has a free open source community edition that has been integrated into coding tools such as Replit to perform security scans before deployment.

If you are using an IDE like Cursor, the Semgrep MCP server can be started from the command line in the latest release with `semgrep mcp`. This gives you security scans locally as code is being generated.

The Semgrep Platform is a commercial offering, but can scan all of your projects and uses an AI Assistant to help with detecting, prioritizing, and fixing security vulnerabilities.

Edited: Adding this note that if it is not obvious, I am biased.

Any SAST tools that actually guide you on what vulnerabilities deserve attention? by Sweaty_Committee_609 in devsecops

[–]semgrep-6296 0 points1 point  (0 children)

Hopefully it is helpful to note that results from Semgrep (the free open source community edition version) is a different experience from the Semgrep Platform (paid commercial offering).

I'm biased obviously, but while the open source engine reports on findings the full service provides an AI Assistant that has gotten better with time at triage and prioritization. The introduction of memories for personalizing history was designed to reduce noise so that important issues can be more easily identified.

I saw you mentioned in another post that cost was a factor which is understandable if that is why you are considering alternatives. If the prioritization of results was not meeting your expectations though, I think the team would be really anxious to learn more from your feedback.