The personal site of Remco Vermeulen

> whoami

Welcome to my site!

I’m Remco Vermeulen, an application security enthousiast and program analysis tourist.

At the time of writing I’m a staff CodeQL analysis engineer at GitHub where I help users of CodeQL automatically analyze their source-code with the goal of finding and remediating security issues.

On my blog you can find my musings on CodeQL and write-ups of visits to other topics of interest.

CodeQL Path Graphs

Those working with GitHub Code Scanning undoubtedly have encountered the show paths functionality available on some alerts produced by CodeQL. The show paths functionality provides developers with a visualization of the data flow showing the path from the source of untrusted data to the sink – the location of the alert – to help a developer understand how the security issue materializes. The path helps with identifying the location where a validation or contextual encoding step is missing.

Security code reviewing with CodeQL

In the post “Scaling application security with codified security knowledge” I discussed how codifying security knowledge acquired during manual security code reviews can help with scaling application security. In this post I would like to allude how one can use CodeQL in a security code review and codify gaps in the security knowledge uncovered during the code review. The approach taken to show how CodeQL can be used is by looking at the similarities between the security code review process and the security query writing process and how both can improve the other.

Scaling application security with codified security knowledge

Explore how codified security knowledge can help scale application security