Contrast Scan adds support for client-side JavaScript – the world’s most popular programming language


If you’re looking for the TL; DR version of that announcement, here it is: Contrast Scan has extended its language coverage to include front-end languages ​​with support for client-side JavaScript (JS) and jQuery. Now that we’ve got it all figured out, let’s get into the details. Contrast’s mission is to become the world’s most comprehensive secure coding platform with Contrast Scan acting as the tip of the spear to deliver fast, actionable results directly into developer pipelines. It makes sense to extend our use case beyond server-side languages ​​and extend it to the front-end. Analyst firm Red Monk features the most popular programming languages ​​and JavaScript has consistently ranked # 1. This makes sense given that client-side JS is used in 97% of the world’s websites. With this addition to the Contrast Secure Code platform, customers can take advantage of real-time security telemetry for their server-side languages ​​while also getting full coverage for their client-side JS code.

Securing client-side security is usually tied to tools like bot management or WAFs. After all, in 2021, web apps were the second most common attack vector for confirmed breaches according to data from the latest edition of Verizon’s Data Breach Investigation Report (DBIR). More importantly, among these confirmed web application breaches, vulnerability exploits have been shown to be among the top paths of execution. Code-level exploits, such as XSS or Magecart attacks, allow attackers to exfiltrate sensitive customer data through session hijacking, clickjacking, collecting credentials… you get the idea .

Since JavaScript runs on the client’s browser, it must be downloaded to the browser to work. Therefore, without the proper protections, JavaScript can be manipulated on the client’s machine, leaving it exposed to attackers attempting to access, read, or modify it. This is of particular concern for vanilla JavaScript applications which may not use a modern framework like jQuery, Angular, or React. If you take into account that the JavaScript ecosystem is huge With thousands of third-party JS dependencies making up the majority of most web applications, the problem becomes much more complicated. Early detection of code-level vulnerabilities is the most consistent and cost-effective approach to protecting client-side JavaScript.

Now we can get into the details beyond the headlines. Contrast Scan added support for JavaScript and Vanilla client-side jQuery. The engine we built for JS is driven by the same philosophy that has made Contrast Scan one of the fastest and most accurate static code scanners on the market. Contrast Scan uses a demand-based analysis methodology. Put simply, this means that we are not inundating developers with the wrong results, but rather focusing only on actionable results by performing deep analysis of data flows at any vulnerable entry point within the application. .

For JavaScript, we analyze the same artifact used by the browser for full efficiency and compatibility. This has a few notable advantages:

  • From the user’s perspective, there is only one thing to analyze. Users download the packaged JS artifact and get the results within seconds.
  • The set of browsers supports formats like webpack, browserify, map files, and all the rest, to match results with transpilers and code generators, which means we can map the results to the row. specific code with more precision. Whatever syntax you use for JavaScript like TypeScript or Babble, if it compiles to JavaScript, we’ll test it. Period.

The Contrast CLI already allows developers to check for vulnerable JS libraries before commits. With all of this in mind, Contrast users are able to test the full scope of their custom and third-party JS code through a single, centralized platform.

We’ve already started work on extending our support for JavaScript, including support for additional frameworks like React and Angular, as well as aggregating results into custom code and third-party JavaScript libraries. We’ll be sure to provide updates as we continue to expand our JavaScript use case.

If you would like to learn more about how Contrast can cover your entire software stack, from front-end to back-end, please do not hesitate to contact us to schedule a demo and our team will be happy to assist you. to help.

Source link


About Author

Comments are closed.