RSS Meetup

Functional programming in industry with a case study in Static Application Security Testing (SAST)

Sala 6.3.27, Ciências ULisboa

Por Dimitris Mostrous (Aikido Security).

In this talk, I will share insights from my experience in functional programmer roles in several startups, highlighting how functional programming is used in industry today and crucially, why it makes sense from a business perspective.

In the second part of the talk we will explore Opengrep, an open source Static Application Security Testing (SAST) tool written in OCaml, supported by a consortium of organisations in the application security space.

Opengrep is designed to search for patterns in source code, with a particular emphasis on vulnerability detection. Users define patterns as code fragments enhanced with matching constructs; these are converted into abstract syntax trees and matched against the AST representation of the target code.

Opengrep also supports taint tracking: identifying places where untrusted user input is passed to trusted subsystems without proper sanitisation.

We will discuss why functional programming is well-suited to this kind of work and mention some of the analyses performed under the hood, including parsing, intermediate representations, constant propagation and dataflow analysis.

Bio: Dimitris Mostrous earned his PhD in Computing at Imperial College London. He's currently the lead maintainer of the open source Opengrep SAST tool (https://opengrep.dev) and OCaml Engineer at Aikido Security (https://aikido.dev). This is his third experience working as functional programmer for startups, having previously worked with Clojure and OCaml in domains such as analytics and crypto payments.

14h00
LASIGE Computer Science and Engineering Research Centre