Skip to main content

REF2021 IMPACT CASE STUDY: Improving Software Security via Variant Analysis

Posted:

A unique approach to program analysis that enables the discovery and reporting of vulnerabilities in widely used software has benefitted product security teams at Google, Microsoft, Dell, and other technology giants. A research team led by Professor Oege de Moor developed an innovative program analysis solution that allows for automated application to complex problems and code.  

The technology is built on a novel approach to program analysis that combines two disparate disciplines, object-oriented programming and database logic. It treats source code as a relational database and analysis problems as queries against a database, meaning deep semantic analyses can be expressed as concise queries in an object-oriented query language. The creation of such queries is an order of magnitude quicker than previous methods of creating code analyses. 

The work paved the way for the foundation of spinout company Semmle, with its free open-source service providing wide economic and public benefit by enhancing the security of open-source code. Semmle’s success led to its acquisition by GitHub. 

We are very pleased to see our work usher in a new level of software security and provide wide economic and public benefit. This project’s unique approach to program analysis sits at the core of technological advancements in open-source used by developers and consumers across the globe. Professor Oege de Moor 

The impact 

Semmle has delivered business-critical benefit to numerous global clients including Behavox, Credit Suisse, Dell, Google, Microsoft, Mozilla, Murex, NASA, Nordea and Uber. It made its analysis engine freely available, used by more than 700,000 developers in 2020, and worked with commercial security teams and the open-source community to track vulnerabilities in widely used software. 

Microsoft incorporated Semmle automation into its code review processes, using it to analyse bugs and define queries. Nasdaq used Semmle to monitor development standards across its application portfolio. Nasdaq have also used Semmle analysis for strategic decision-making and budgeting, enabling improved tracking of projects, increasing efficiency and benefitting developers.   

Almost every software product used today relies on open-source code in its supply chain. Semmle has made a significant contribution to reliably securing such code, benefitting both software developers and consumers, and helping to ensure the growth and sustainability of open source.  

Find out more  

The full REF submission is available in this PDF.