By Maciej Domanski
Trail of Bits is thrilled to announce the Testing Handbook, the shortest path for developers and security professionals to derive maximum value from the static and dynamic analysis tools we use at Trail of Bits.
Why did we create the Testing Handbook?
At Trail of Bits, we have spent countless hours studying, experimenting with, and refining the use of various static and dynamic security tools. During our journey, we found that the existing documentation is indeed comprehensive, but it can also be overwhelming. We like to think of it this way: the standard documentation usually tries to provide all the answers, but our Testing Handbook gives you the right answers—the answers that we have found to be most effective through our extensive experience.
Not stopping at mere configuration, the handbook serves as a blueprint to effectively optimize tools within CI/CD pipelines. We’ve noticed that many organizations, while able to set up security tools, struggle with their optimization. The outcome? A noisy, cumbersome tool that demands more maintenance than it’s worth.
Our goal is to streamline your journey to value, cutting through the noise and directing you straight to the most impactful aspects of the tools.
Announcing the first chapter: Semgrep
We’re excited to present our first chapter, which focuses on Semgrep—a highly efficient static analysis tool for finding low-complexity bugs and specific code patterns. With this guide, we aim to streamline your Semgrep use and improve your security testing effectiveness. The chapter encapsulates the benefits and ideal use cases of Semgrep, offers instructions for initial setup, and provides a detailed look into tailoring rulesets for optimal security testing. It also includes a comprehensive guide to writing and testing custom rules, using the autofix feature, and optimizing Semgrep rules. We guide you through CI/CD integration, including recommended approaches and configuration options. Finally, we provide external resources with suggested rules, blog posts, publications, and video resources to promote effective Semgrep adoption in your organization.
Visit the Semgrep chapter to start your journey.
Happy testing!