The holy grail in security is one where all code touched by developers is secure at the outset — new code written, default libraries, and any services employed. This is why every modern CISO we speak with believes in shift left — incorporating security at the very beginning of the software development lifecycle.
However, this north star eludes even the best security teams who are always short on both time and people. Network security, endpoint security and cloud security are ultimately reactive “walls” around inherently insecure software code. Yet, while all the big public security vendors have built endpoint and network security solutions, none have been able to find an insertion point to truly shift left and win the hearts and minds of developers.
Enter Semgrep. Many developers are already familiar with Semgrep’s OSS engine, a lightweight static analysis tool loved and used by developers which secured code in over 30M scans last year alone. On top of their OSS engine, the company has two core products today (and more to come): Semgrep Code (SAST), which allows organizations to deploy, manage and monitor Semgrep at scale and leverage both the community and Pro rules to surface issues in the codebase; and Semgrep Supply Chain (SCA), which flags code that contains any OSS vulnerabilities. Semgrep’s application security platform is critical for the security teams at Dropbox, Figma and Snowflake. And today, Lightspeed’s Growth Team is excited to announce that we are leading Semgrep’s Series C with a $53M investment alongside our friends at Felicis, Redpoint and Sequoia.
At Lightspeed, we have a long history of investing in iconic security companies. Behind each of these companies are visionary product leaders and that perfectly describes the founders of Semgrep (formerly r2c) — Isaac Evans, Drew Dennison and Luke O’Malley. They are passionately building a generational security company that prevents key vulnerabilities from being released to production while frictionlessly fitting into a developer’s workflow. Semgrep has created a platform that helps every business set secure defaults and then ensure developers adhere to them.
As we spoke to more and more customers during our research process, they not only raved about the vulnerabilities Semgrep was flagging and preventing out of the gate, but also Semgrep’s ability to deliver significant dividends over the long-run, serve as the core pillar of their AppSec program and reduce overhead for their security team. We also kept hearing of a number of areas where the Semgrep team was differentiating, including: their high signal-to-noise ratio in flagging the vulnerabilities that matter, compatibility with modern programming languages, the ease of writing custom rules and the speed of the product. For many security teams, Semgrep represented a step function change from any solution they had tried in the past. It is a product that provides value immediately, is seamless to get up and running and can easily be customized to any enterprise.
In the words of Semgrep’s Head of Research and author of the must-read security blog tl;dr sec Clint Gibler, “It’s impossible to find every bug, no matter how advanced your tools are. Instead, the key to scaling security is to build secure-by-default libraries and tools that developers can use to prevent entire classes of vulnerabilities by construction, and then make sure developers use them.”
Finally, this is one of the highest quality technical teams we have come across and they continue to maintain an intensely high bar as the company scales (Semgrep is hiring for anyone interested!). We are honored to be partnering with the full Semgrep team in their journey to make every company ‘secure by default’ and could not be more excited for the road ahead.
-By Will, Anoushka, Sebastian, and Nathan, on behalf of the Lightspeed Growth Team
Authors
