AppSec Bugs: A Case of Déjà Vu for JIT Compilers
September 30, 2019

John Matthew Holt

Just-in-time (JIT) compilers have had their fair share of bug-fighting experience. Before movies like Wargames and Hackers inspired the first generation of breakers, most users were concerned with the speed, or lack thereof, of their programs. The compiler community responded with JIT compilers to accelerate application performance.

Then in the mid 90s, memory management bugs were the plague of the programming industry. Again, the runtime/compiler community realized they could solve this problem with automatic memory management inside the JIT compiler.

Security Bugs: An Evolving Threat

Today, performance bugs and memory bugs are the least of the worries facing the developer community. Instead, a new crisis has surfaced: security bugs. Security bugs are so much more concerning than the other bugs because security bugs will get you "pwned!"

To tackle this, there has been a deluge of scanning and filtering tools developed for programmers to find code flaws. DevOps tools like static, dynamic and interactive application security testing (SAST, DAST, IAST), and runtime application self-protection (RASP), or network tools like intrusion detection or prevention systems (IDS, IPS), and unified threat management (UTM), all find or filter vulnerabilities but do nothing to fix the underlying vulnerable code. For that, there are only two ways that buggy code can be modified and fixed: with a human programmer or a JIT compiler.

New Roles for JIT Compilers

State-of-the-art JIT compilers today are constantly looking for ways to optimize executing code by learning and analyzing everything about an application's code. This deep application code intelligence, which was so effectively applied to performance bugs and memory management bugs in the past, is now being applied to discover and remediate security bugs.

In this security context, the JIT compiler leverages existing analysis of application code to additionally analyze for security vulnerabilities. When it finds one, it's a seamless step to fix it: The JIT compiler simply rewrites the vulnerable code with the necessary security controls to fix the underlying vulnerability.

Benefits of JIT Compilers

Since this analysis and change is done in the runtime, the JIT compiler also adds a layer of security without having to modify any source code.

The benefits of this can be liberating for DevOps teams that face disruption to existing projects every time a new vulnerability is exposed. Given that more than 22,000 vulnerabilities were discovered in 2018, this ability to protect applications without requiring programmer resources allows development teams to apply fixes during periods where they will have the least impact on the business.

Further, for many organizations that have legacy code, they may no longer be able to access the source code for fear that any modifications could prove catastrophic to the application. For security remediation, the JIT compiler can be used to remediate vulnerabilities in the byte code — not the source code — reducing or eliminating the risks that often lead to broken applications.

The threat that security bugs pose to businesses keeps many a DevOps team up at night. But to JIT compilers, this isn't their first rodeo. In fact, it's just another case of déjà vu.

John Matthew Holt is Founder and CTO of Waratek
Share this

Industry News

July 18, 2024

Mission Cloud announced the launch of Mission Cloud Engagements - DevOps, a platform designed to transform how businesses manage and execute their AWS DevOps projects.

July 18, 2024

Accelario announces the release of its free TDM solution, including database virtualization and data anonymization.

July 18, 2024

RAVEL (formerly StratusCore) introduced RAVEL Orchestrate’s new Bare Metal Build Station functionality, which empowers IT and DevOps teams in SMBs or enterprises to intelligently prepare and deploy customized images to any physical machine connected to a network.

July 17, 2024

OpenText™ announced its solution to speed the triage and remediation of vulnerabilities throughout the stages of code development, OpenText Fortify Aviator, an AI-powered code security solution, saves developers significant time by enabling faster and easier auditing and remediation of static application security testing (SAST) vulnerabilities—all within a single solution​.

July 17, 2024

Tricentis announced the acquisition of SeaLights, a SaaS-based, software quality intelligence platform.

July 17, 2024

CAST is now available as software as a service (SaaS).

July 16, 2024

OpenText announced its latest product innovations with Cloud Editions (CE) 24.3.

July 16, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, as well as the general availability of Red Hat Advanced Cluster Security Cloud Service.

July 16, 2024

DevEx Connect launched as a community-driven independent research, analyst and events organization focusing on everything under the DevEx umbrella, including DevOps, SRE and Platform Engineering.

July 15, 2024

Elastic announced support for Amazon Bedrock-hosted models in Elasticsearch Open Inference API and Playground.

July 11, 2024

Progress announced new and powerful enhancements in the latest release of Progress® LoadMaster® 360, its cloud-based unified application delivery platform. These enhancements help organizations protect their web applications against increasingly sophisticated cyberattacks and provide customers with an optimal application experience.

July 11, 2024

Virtusa announced a strategic partnership with Quality Clouds, a provider of SaaS governance solutions for Salesforce and ServiceNow platforms.

July 11, 2024

Zesty launched its newest offering, Commitment Manager for Amazon RDS (Relational Database Service).

July 10, 2024

MacStadium unveiled Orka Desktop, a free, local macOS virtualization tool.