Episode #274

This week on the 274th episode of Absolute AppSec, Ken (@cktricky) and Seth (@sethlaw) cover a range of topics related to recent industry changes and developments, using their time without a guest in a few weeks to instead offer their own ‘hot takes.’ To listen to this episode, go to https://www.youtube.com/live/nZ7CBHaMJ4Y.

If you are looking to get utilize LLMs in application security, you’re in luck! Seth and Ken are hosting another session of their virtual Harnessing LLMs for Application Security Training on February 20th and 21st. More details are available at training.absoluteappsec.com

In this episode, our hosts discuss OpenGrep, a fork of Semgrep, and the broader implications of Semgrep’s recent licensing changes. Semgrep’s powerful static analysis tool enables custom rule creation for finding vulnerabilities in code, leading many organizations to integrate it’s community edition rules into their products. Recently, however, Semgrep altered the licensing for its community rules, preventing vendors from bundling them into commercial products. This change prompted a response from several vendors who created OpenGrep, a fork of Semgrep intended to keep the original licensing intact. Ken explains while Semgrep’s previous licensing (LGPL 2.1) allowed both the engine and community rules to be freely used, this recent change now limits the use of community rules to internal security purposes only. The community can still use Semgrep as before, but security vendors embedding Semgrep into their products can no longer do so without restriction. Semgrep likely made this move to protect its commercial interest, as many competitors were leveraging its community-built rules without contributing back.

OpenGrep, backed by multiple security vendors, appears to be an effort to bypass Semgrep’s new licensing restrictions, while maintaining the ability to embed results and features in their own products. While framed as a community initiative, Ken and Seth critically analyze whether OpenGrep is truly open-source altruism or a strategic business decision. Ken argues that rather than forking Semgrep, these vendors could have contributed to alternative AST-parsing-based projects. Instead, OpenGrep is essentially a means for vendors to continue benefiting from Semgrep’s functionality without the new licensing constraints. The launching of OpenGrep was immediately rocky, due to concerns raised in an external critique that highlighted various security and operational oversights in OpenGrep’s setup. Some issues mentioned included it’s lack of proper branding, security and community engagement, it’s poor execution in creating a credible open-source alternative, and a potential lack of long-term sustainability if OpenGrep fails to evolve beyond a Semgrep clone. While these concerns are valid, there have been many previous cases where open-source projects transitioned into commercial products, such as Nessus, Snort, and OWASP ZAP. In those cases, similar tensions arose when projects moved toward monetizations, and some developers felt alienated. This might be part of the natural evolution of successful open-source tools.

Hey you! Yes, you! It’s time to support the podcast by repping a t-shirt or two. Visit the merch store to pick your desired color. Or just join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

Related Episodes

https://youtu.be/w8z987qtlpw - Episode #176 - What are the secrets out there available if one scans the internet? Well, security researchers at @RedHuntLabs have reported on a large-scale study. Giving back by publishing relevant Semgrep Rules and a lack of access control in multiple IoT devices and services.

https://youtu.be/yjsE_DSnK5w - Episode #115 - Clint Gibler - Clint Gibler (@clintgibler) joins the podcast to talk about Static Analysis with Semgrep. Demonstrations of writing rules within Semgrep and how to use it. One of the initial episodes where we explore the power of Semgrep.

https://youtu.be/miaOUki5Eas - Episode #69 - Eric Ellett, Development vs. Security - Seth and Ken are joined by Eric Ellett (@EricEllett) to talk about software supply chain security. Development vs. Security and how to develop a good relationship with development instead of an antagonistic one.

Absolute AppSec Happenings

https://semgrep.dev/blog/2025/series-d-announcement/ - In light of all the discussions of OpenGrep and Semgrep, Semgrep announced another round of funding (Series D). Congratulations to that team to making the world more secure and helping build things that people care about.

https://youtu.be/_1f-o0nqpEI?si=fvcWb58t9-_zp70e - Jerry Gamblin shared this long video that breaks down DeepSeek, China, OpenAI and all sorts of good information related to LLMs. Well worth the watch if you have the time, even in snippets.

https://www.githax.com/ - Paul (@6mile on Slack) continues to build out portions of a software supply chain threat analysis tool/platform. Portions of it will be free/open source to help organizations identify threat actors.

Upcoming Events

Where in the world are Seth and Ken?

February 14-15, 2025 - CactusCon, Mesa, AZ - This week! Ken is speaking, Seth will make an appearance for drinks, discussions, and some Crocs & Socks.

February 20-21, 2025 - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.

March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.

March ??, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).

June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.