The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.
AppSec Bugs: A Case of Déjà Vu for JIT Compilers
September 30, 2019
Just-in-time (JIT) compilers have had their fair share of bug-fighting experience. Before movies like Wargames and Hackers inspired the first generation of breakers, most users were concerned with the speed, or lack thereof, of their programs. The compiler community responded with JIT compilers to accelerate application performance.
Then in the mid 90s, memory management bugs were the plague of the programming industry. Again, the runtime/compiler community realized they could solve this problem with automatic memory management inside the JIT compiler.
Security Bugs: An Evolving Threat
Today, performance bugs and memory bugs are the least of the worries facing the developer community. Instead, a new crisis has surfaced: security bugs. Security bugs are so much more concerning than the other bugs because security bugs will get you "pwned!"
To tackle this, there has been a deluge of scanning and filtering tools developed for programmers to find code flaws. DevOps tools like static, dynamic and interactive application security testing (SAST, DAST, IAST), and runtime application self-protection (RASP), or network tools like intrusion detection or prevention systems (IDS, IPS), and unified threat management (UTM), all find or filter vulnerabilities but do nothing to fix the underlying vulnerable code. For that, there are only two ways that buggy code can be modified and fixed: with a human programmer or a JIT compiler.
New Roles for JIT Compilers
State-of-the-art JIT compilers today are constantly looking for ways to optimize executing code by learning and analyzing everything about an application's code. This deep application code intelligence, which was so effectively applied to performance bugs and memory management bugs in the past, is now being applied to discover and remediate security bugs.
In this security context, the JIT compiler leverages existing analysis of application code to additionally analyze for security vulnerabilities. When it finds one, it's a seamless step to fix it: The JIT compiler simply rewrites the vulnerable code with the necessary security controls to fix the underlying vulnerability.
Benefits of JIT Compilers
Since this analysis and change is done in the runtime, the JIT compiler also adds a layer of security without having to modify any source code.
The benefits of this can be liberating for DevOps teams that face disruption to existing projects every time a new vulnerability is exposed. Given that more than 22,000 vulnerabilities were discovered in 2018, this ability to protect applications without requiring programmer resources allows development teams to apply fixes during periods where they will have the least impact on the business.
Further, for many organizations that have legacy code, they may no longer be able to access the source code for fear that any modifications could prove catastrophic to the application. For security remediation, the JIT compiler can be used to remediate vulnerabilities in the byte code — not the source code — reducing or eliminating the risks that often lead to broken applications.
The threat that security bugs pose to businesses keeps many a DevOps team up at night. But to JIT compilers, this isn't their first rodeo. In fact, it's just another case of déjà vu.
Industry News
May 14, 2025
CodeRabbit is now available on the Visual Studio Code editor.
The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.
May 14, 2025
Chainguard announced Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.
May 14, 2025
Sysdig announced the donation of Stratoshark, the company’s open source cloud forensics tool, to the Wireshark Foundation.
May 13, 2025
Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.
May 13, 2025
Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.
May 13, 2025
Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.
May 13, 2025
Parasoft has added Agentic AI capabilities to SOAtest, featuring API test planning and creation.
May 13, 2025
Zerve unveiled a multi-agent system engineered specifically for enterprise-grade data and AI development.
May 12, 2025
LambdaTest, a unified agentic AI and cloud engineering platform, has announced its partnership with MacStadium, the industry-leading private Mac cloud provider enabling enterprise macOS workloads, to accelerate its AI-native software testing by leveraging Apple Silicon.
May 12, 2025
Tricentis announced a new capability that injects Tricentis’ AI-driven testing intelligence into SAP’s integrated toolchain, part of RISE with SAP methodology.
May 12, 2025
Zencoder announced the launch of Zen Agents, delivering two innovations that transform AI-assisted development: a platform enabling teams to create and share custom agents organization-wide, and an open-source marketplace for community-contributed agents.
May 08, 2025
AWS announced the preview of the Amazon Q Developer integration in GitHub.
May 08, 2025
The OpenSearch Software Foundation, the vendor-neutral home for the OpenSearch Project, announced the general availability of OpenSearch 3.0.
