Productivity on Shivasurya

2025 Wrapped

Sat, 20 Dec 2025 00:00:00 +0000

2025 Wrapped

Published 📰
- Sourcegraph Blog: Lessons from building Sherlock: Automating security code reviews with Sourcegraph
  - Built AI security agent around 2024 and wrote a blog post about it.
- Tried out Multi-Turn Reinforcement Learning for security vulnerability analysis using verifier framework.
  - Turns out it’s amazing and has lot of stuffs to explore and learn.
Shipped 🚀
- Secureflow AI, Autonoumous AI Agent for security vulnerability analysis
  - Published blog post on codepathfinder.dev
  - And it’s clear that NO ONE HAS MOAT, If any AI security vendor company shows flashy demo “How our AI Security engineer can do this & that”, remember, you can replicate the same by calling OpenAI, Claude API, or any other AI platform providers.
    - This includes AI SAST, AI Vulnerability detection, AI Appsec, AI Threat modeling, AI Penetration testing, AI Security Orchestration.
    - All you need is good level of context engineering, memory, workflow setup, AI API calls.
- Code-Pathfinder, AI-Native static code analysis now has Python, Docker, Docker Compose support and open-sourced under AGPLv3 license
- Some Milestones & Metrics 📊
  - Code-Pathfinder & Secureflow AI
    - 307 Monthly Active Users
    - 64 Weekly Active Users
    - Started from zero half way through 2025 and grateful to achieve this number.
    - Excited to see the growth in 2026
Read 6 books 📚

Lessons from Building Sherlock: Automating Security Code Reviews with Sourcegraph

Thu, 10 Apr 2025 00:00:00 +0000

Originally published on the Sourcegraph Blog.

LLM-Powered Security Reviews: Insights and Challenges

Wed, 19 Mar 2025 00:00:00 +0000

Introduction

In a previous post on the Sherlock blog, I discussed leveraging large language models (LLMs) to assist with security code reviews. There’s no doubt that LLMs outperform traditional static application security testing (SAST) tools in several ways, enhancing the security review process by:

Reducing false positive rates
Increasing the accuracy of findings
Uncovering previously unidentified edge cases

When used in conjunction with SAST tools, LLMs can significantly boost the effectiveness of security reviews.

How I Use AI to Streamline/Assist My Work

Tue, 28 Jan 2025 00:00:00 +0000

Intro

While there’s a lot of skepticism about using AI to automate tasks, I’ve found AI tools to be invaluable allies that enhance my results and handle niche tasks.

🤖 Reflecting on My LLM Usage

I used to pay for OpenAI & Anthropic Claude API access and regularly automated several tasks until recently when DeepSeek-v3 was released, cutting costs by at least 50% while maintaining the same response quality. Here are a few tasks I found useful after attempting more than 30+ workflows to incorporate and derive value.

2024 Wrapped

Thu, 26 Dec 2024 00:00:00 +0000

2024 Wrapped

Read 12 books
Built Code-Pathfinder, Open-source alternative to GitHub CodeQL
- Received positive interest and interaction from various people working for Microsoft, GitHub, Elastic and TrailofBits
- Mind-blown to see people reaching out regarding the project :)
Welcomed our beautiful baby girl into the world! 👸
- Grateful to Grand River Hospital staff & volunteers for the exceptional care and support. 🫡 to Canada’s Healthcare
Read and built security vulnerability classifier based on Building a Large Language Model from Scratch
494 days streak on Duolingo learning french 🇫🇷

And that’s a wrap!

Books I read in 2024

Thu, 19 Dec 2024 00:00:00 +0000

Books

If you’re looking for a great device to read books, highlight important sections, and take notes, the Kindle Scribe is a fantastic option. It’s especially handy for times like waiting at the airport/hospital, traveling by flight/train.

Pro tip: You can always send pdf/epub to kindle and read it on kindle.

Security & Programming

Non-Fiction

Personal Finance

CodeQL: Eindhoven Quantifier Notation

Tue, 10 Sep 2024 00:00:00 +0000

Introduction

Recently, I have been thinking about aggregate functionality design for Code PathFinder, opensource alternative to GitHub CodeQL. SQL aggregate functions such as SUM, AVG, MIN, MAX are combined with WHERE and GROUP BY to generate aggregate queries. However, I was wondering if there is a way to generate aggregate queries without using WHERE and GROUP BY. While going through CodeQL design research paper, I came across Eindhoven Quantifier Notation which is quite interesting, easy to understand and can be used to generate aggregate queries. This blog post will discuss about Eindhoven Quantifier Notation adopted by CodeQL.

Sherlock: Automate security code reviews with Cody AI

Thu, 27 Jun 2024 00:00:00 +0000

Intro

Need for semi-autonomous security code reviews

My job as a security engineer (application security context) is to read source code and perform security reviews. Most of the time, mainly corelate the source code with frameworks & libraries, understand context where the code executes and enumerate all security risks. While there are lot of second generation SAST scanning tools in the market which is good at identifying patterns, eliminate false positive, executes and brings up results in minutes. I believe,

Defining Boundaries & Sinks for Inter-procedural Source Sink Analysis - Part 3

Fri, 08 Mar 2024 00:00:00 +0000

This is the third part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the intra-procedural source sink analysis. In this blog post, I’ll discuss about defining boundaries, configs and sinks for inter-procedural analysis. ✨ This idea of defining boundaries and sinks is inspired from the CodeQL library and while discussing with my colleague at SWAG lab @ uwaterloo.

Plan

While tools like CodeQL has well-defined support for libraries and framework such as Android CodeQL these libraries has predefined boundaries and sinks. But, start from scratch, we need to define our own boundaries and sinks. The boundaries are the entry points and sinks are the exit points.

Deep dive on Android Java / Kotlin Deserialization Code Execution with Semgrep Detection

Wed, 24 Jan 2024 00:00:00 +0000

Overview

In this post, we will explore code execution using Java & Kotlin Deserialization in Android Application. Additionally, We will discuss the Gadget Chain, Detection and Exploitation technique specific to Android. Achieving code execution in server side application via Java deserialization has higher chance of success than in client side android application. This is due to limitation of variety of loaded classes in android application. For instance com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is available in openJDK but not in Android JDK (but with modification). These limitation can be a blocker for loading arbitrary classes and executing payload (mostly compiled bytecode) in Android application. Well there are lot of deserialization vulnerabilities is published out there such as

2023 Wrap - Year in Review

Wed, 27 Dec 2023 00:00:00 +0000

2023: A Year of Unexpected Adventures and Rich Insights. Here’s a glimpse into my journey and the accomplishments, lessons I’ve gathered along the way. Well this blog doesn’t feature lot of stuff, but I’m trying to keep it simple.

Trimming Down: Weight Loss Journey 🏋️

“Psychology for Money shapes your wealth; Noom shapes your health.”

It’s been an inspiring weight loss journey with Noom, shedding 11 lbs since October 2023. My employer’s Step Challenge played a significant role. I appreciate Noom’s rewarding content and insights into eating psychology. The subscription and personal accountability guidance are truly valuable.

Building Inter-procedural Source Sink Analysis from Scratch - Part 2

Fri, 01 Sep 2023 00:00:00 +0000

This is the second part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the intra-procedural source sink analysis. In this blog post, we will be building the inter-procedural source sink analysis.

Plan

We’ll be parsing whole java project source code and generate AST using JavaParser. While traversing the AST, we will be collecting the method declaration and method invocation. We will be using graph theory algorithm to find the path from source to sink. The source is the method declaration and the sink is the method invocation. The method declaration is the node and the method invocation is the edge. While classes may contain duplicate method names with different signatures, we will be using the fully qualified method name to uniquely identify the method. The fully qualified method name is the class name + method name + method arguments. The method arguments are used to differentiate the method overloading. The method declaration is the key and method invocation is the value in the hashmap. The hashmap is used to build the graph and find the path from source to sink.

Building A Simple Source-Sink Analysis in Java from Scratch - Part 1

Sun, 27 Aug 2023 00:00:00 +0000

Overview of Source Sink Analysis

Source Sink Analysis is a type of basic static analysis that detects the flow of information from a source to a sink. A source is a place where the information is coming from and a sink is a place where the information is going to. For example, a source can be a user input and a sink can be a database query. If the user input is not sanitized, it can lead to SQL Injection. Apart from source sink techniques, there are other techniques like taint analysis, control flow graph, data flow analysis, etc. which are used to detect vulnerabilities in the code. In this blog post, we will be building a simple source sink analysis in Java from scratch.

From ArcGIS to Mapbox: How Cody AI Made My Web App Shine

Sun, 02 Jul 2023 00:00:00 +0000

Imagine being a newcomer to Canada around 2019, relying on public transit to navigate the Waterloo region. Like many others, I found myself frustrated with the occasional unreliability of Google Maps when searching for public transit options. However, my luck changed when I stumbled upon a cool command line tool developed by a UWaterloo student that predicted the next bus or LRT arrival time within seconds. This discovery led me to GRT.ca, a website providing real-time transit feed updates, allowing me to track the exact location of buses and LRTs. Inspired by this newfound resource, I created a naive map using ArcGIS ESRI Maps, loading location information from the protobuf feed and deploying it on my domain, livemap.shivasurya.me. This map became my go-to tool for finding the precise location of the next bus or LRT.