AppSec Bugs: A Case of Déjà Vu for JIT Compilers
September 30, 2019

John Matthew Holt
Waratek

Just-in-time (JIT) compilers have had their fair share of bug-fighting experience. Before movies like Wargames and Hackers inspired the first generation of breakers, most users were concerned with the speed, or lack thereof, of their programs. The compiler community responded with JIT compilers to accelerate application performance.

Then in the mid 90s, memory management bugs were the plague of the programming industry. Again, the runtime/compiler community realized they could solve this problem with automatic memory management inside the JIT compiler.

Security Bugs: An Evolving Threat

Today, performance bugs and memory bugs are the least of the worries facing the developer community. Instead, a new crisis has surfaced: security bugs. Security bugs are so much more concerning than the other bugs because security bugs will get you "pwned!"

To tackle this, there has been a deluge of scanning and filtering tools developed for programmers to find code flaws. DevOps tools like static, dynamic and interactive application security testing (SAST, DAST, IAST), and runtime application self-protection (RASP), or network tools like intrusion detection or prevention systems (IDS, IPS), and unified threat management (UTM), all find or filter vulnerabilities but do nothing to fix the underlying vulnerable code. For that, there are only two ways that buggy code can be modified and fixed: with a human programmer or a JIT compiler.

New Roles for JIT Compilers

State-of-the-art JIT compilers today are constantly looking for ways to optimize executing code by learning and analyzing everything about an application's code. This deep application code intelligence, which was so effectively applied to performance bugs and memory management bugs in the past, is now being applied to discover and remediate security bugs.

In this security context, the JIT compiler leverages existing analysis of application code to additionally analyze for security vulnerabilities. When it finds one, it's a seamless step to fix it: The JIT compiler simply rewrites the vulnerable code with the necessary security controls to fix the underlying vulnerability.

Benefits of JIT Compilers

Since this analysis and change is done in the runtime, the JIT compiler also adds a layer of security without having to modify any source code.

The benefits of this can be liberating for DevOps teams that face disruption to existing projects every time a new vulnerability is exposed. Given that more than 22,000 vulnerabilities were discovered in 2018(link is external), this ability to protect applications without requiring programmer resources allows development teams to apply fixes during periods where they will have the least impact on the business.

Further, for many organizations that have legacy code, they may no longer be able to access the source code for fear that any modifications could prove catastrophic to the application. For security remediation, the JIT compiler can be used to remediate vulnerabilities in the byte code — not the source code — reducing or eliminating the risks that often lead to broken applications.

The threat that security bugs pose to businesses keeps many a DevOps team up at night. But to JIT compilers, this isn't their first rodeo. In fact, it's just another case of déjà vu.

John Matthew Holt is Founder and CTO of Waratek
Share this

Industry News

March 27, 2025

webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.

March 27, 2025

Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.

March 27, 2025

Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.

March 26, 2025

Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.

March 26, 2025

CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.

March 26, 2025

BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.

March 25, 2025

Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.

March 25, 2025

Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.

March 25, 2025

Platform9 formally launched the Platform9 Partner Program.

March 24, 2025

Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.

March 20, 2025

Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).

March 20, 2025

Perforce Software announced its acquisition of Snowtrack.

March 19, 2025

Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.

March 19, 2025

Amplitude announced the rollout of Session Replay Everywhere.

March 18, 2025

Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...