'Inside Security' with Emma Jin (Engineering Manager, Semgrep)
.png)
The role of developer-first tools within security is unignorable. They seamlessly integrate into a developer's workflow, allowing them to identify and fix security vulnerabilities directly within their IDE, essentially "shifting security left" by making security checks readily available during the coding process. Whether the check is performing static application security testing (SAST), software composition analysis (SCA), secrets detection, or container security analysis, all security tools are more effective when they scan code for potential security issues as developers write it. Platforms like Snyk and Semgrep are examples of application security tools that integrate early in the coding process.
In this edition of ‘Inside Security’ we feature Emma Jin, Engineering Manager at Semgrep, to explore how the company is reshaping the way organizations think about securing code. Our conversation delved into the challenges of scaling application security, the importance of developer trust, and the unique philosophy driving Semgrep’s mission.
Developer-First Security: The Heart of Semgrep
At its core, Semgrep is guided by a simple but powerful principle: security must be developer-first. The collaboration between developers and security teams is key to building trust and fostering effective security practices.
Trust is a cornerstone of security. Trust has two parts: an assessment of trustworthiness and a policy for giving one’s attention to verify outcomes. Trust and verify. These are independent decisions, not at all mutually exclusive. A pivotal part of this trust lies in reducing false positives.
“False positives matter—a lot. When false positives exceed a certain threshold, people lose trust in the tool. Low trust in the tool leads to genuine issues being dismissed as false positives, which further erodes trust.”
This sentiment resonates deeply across industries, as false positives often lead to critical vulnerabilities being overlooked.
The goal to provide actionable insights to developers, empowering them to fix vulnerabilities efficiently without disrupting their workflow drives most security people, but more so within Semgrep.
The Evolving Role of SAST Tools
Static Application Security Testing (SAST) tools like Semgrep are evolving rapidly to meet the growing demands of modern developers.
“What excites me most is the shift in expectations. Developers today demand tools that run quickly, integrate seamlessly with their workflows, and offer low false-positive rates. This evolution reflects a broader change in how security is perceived—not as an afterthought but as an integral part of the development lifecycle.”
The onus is on security tools to provide actionable outcomes that deliver tangible value. However, as you may imagine, this isn’t easily achievable as it requires striking a delicate balance between precision and usability.
Security tools must not only identify vulnerabilities but also provide developers with clear, contextualized guidance on how to address them. This means reducing noise, prioritizing high-impact issues, and seamlessly integrating into existing developer workflows without adding friction.
"It’s a complex challenge, demanding deep technical expertise and an intimate understanding of developer psychology. When done right, it transforms security from a perceived burden into an enabler, empowering teams to build resilient, secure applications without slowing down innovation."
The Challenge of Balancing Personas
One of the most significant challenges SAST companies face is balancing the needs of its two primary personas: developers and security leaders.
While developers prioritize usability and seamless integration, security leaders often focus on high-level reporting and overall posture. These distinct priorities create a natural tension, as what works for one group may not immediately align with the needs of the other.
"This duality requires a careful approach to product development. To meet these demands, it’s essential to align closely with customer feedback, actively dogfood the product, and stay true to a developer-first philosophy. These strategies ensure the product delivers true value across both personas, fostering trust and usability for developers while supporting the strategic goals of enterprise security leaders."
The Role of Education in Empowering Security Practices
For security companies striving to make a lasting impact, education isn't a side project; it's a cornerstone of their value. Security is inherently complex and evolves rapidly. Many people struggle to keep pace, which uniquely positions us to not only deliver tools but also educate customers on best practices for securing their systems.
For security companies this should be a philosophy not just a guiding principle—it must be embedded directly into the product.
"For example, at Semgrep, we ship a thoughtfully designed set of default rules targeting common and impactful vulnerabilities like SQL injection and XSS (cross-site scripting) attacks. These default rules enable users to achieve meaningful security improvements right out of the gate, even if they lack a sophisticated security program. We don’t want users to feel like they need to have an amazing security program before they can think about using security tools. The goal of every security company must be to lower the barrier to entry by providing actionable, high-confidence rules that demonstrate immediate value."
Insights on how Semgrep does this effectively
Trust is once again the key element to keep in mind here. To ensure developers trust the tool, Semgrep allows teams to initially run rules in silent mode, observing results without disrupting workflows. Once developers see the tool consistently flagging relevant issues, they can confidently expand its use. They can tweak the rules based on the specific practices of their codebase to further reduce noise before making them block workflows.
"The first interaction developers have with a new security tool is critical. If it’s accurate and helpful, it builds trust, which can then be leveraged to introduce more nuanced capabilities over time."
Semgrep also leverages artificial intelligence to make security simpler and more accessible. AI helps lower the barrier to rule creation, enabling teams to encode best practices with minimal effort. It also provides essential context—distinguishing, for example, between legitimate vulnerabilities in test files versus production code. By synthesizing context, AI empowers teams to focus on what’s truly important and reduces noise that might otherwise undermine trust in the tool.
Ultimately, companies like Semgrep aim to go beyond providing a tool for security experts. They empower organizations of all sizes to establish robust security programs, delivering value not just through its platform but by educating and guiding users toward better practices. Security must be accessible, actionable, and impactful for everyone.
Looking Ahead: The Future of Application Security
The thing about security is that developers and leaders expect more. They ask for better results and better remediation guidance, and it challenges security companies at large to keep improving.
As the application security landscape continues to mature, tools like Semgrep are paving the way for more integrated and intuitive solutions. The increasing demand for better tools and the opportunity to shape the future of security continues to drive several companies, and inspire more every year.
Security is all about trust and businesses pay millions each year to build trust with their customers. By focusing on quality, scalability, and education, companies like Semgrep are pushing the standards for developer-first security tools.
We'd like to thank Emma for her insights and participation in this series. You can connect with her via LinkedIn.