By now you have probably heard about JSA. Introduced in AppScan Standard 8.0 in Oct '10, and now included in AppScan Enterprise 8.6, JSA is a component that does static analysis of JavaScript to detect a range of client-side security issues. Issues such DOM-based XSS, Open Redirect, and many others.
Why is this significant?
Client-side code percentage in web applications grew from around 5% five years ago, to an amazing 25% today. Driven by the Web 2.0 explosion, JavaScript is now everywhere, on every web page. And guess what -- it's painfully full of security holes. Evil, nasty ones, that are particularly difficult to catch.
We were really surprised when we discovered that nearly 1 in 6 of the Fortune 500 websites have serious, exploitable security issues in their JavaScript code. You can imagine this got a lot of attention when we shared these news with the world. It quickly become the #1 downloaded whitepaper in IBM Rational.
JSA may very well be the only technology available today that can effectively catch these types of issues.
But JSA is also really interesting from a technology standpoint. It is perhaps the first real implementation of Hybrid Scanning -- bringing together the advantages of the white-box and black-box methodologies, while overcoming their weaknesses. For the first time ever, you have black-box and static analysis working TOGETHER, in a single product, in the same scan.
If you think it's just two components lumped together, with aggregated results -- think again. JSA is distinctly hybrid. It is static analysis feeding off of information that could ONLY be collected dynamically. This gives JSA a huge advantage over any other solution that is either only purely black-box and purely static analysis.
The best example of this is how JSA uses String Analysis to automatically eliminate false positive reports. Without getting too technical, String Analysis allows tracking potential string values in a program. This allows very powerful reasoning about the kind of exploits that a potential attacker can or cannot do.
So what's hybrid about this? Well, the unique String Analysis implementation in JSA feeds off of actual page URLs, collected during crawling. Feeding on such accurate and concrete information from the live, running application, allows JSA to eliminate virtually almost all of the non-exploitable reports. We thoroughly reviewed and manually classified the results for hundreds of real-world sites, to know that JSA produces less than 10% false positives. How many static analysis tools can match that?
JSA is also incredibly easy to run. There is no configuration. It's fast, it's responsive, it's accurate. It just works.
You see the theme here. We are trying to create tools that mere mortals can be successful with. It's really hard to make something complicated appear simple, but that's how I perceive my job.
What do you think? Leave a comment with your thoughts.
Comments