Log In
Get a Demo

See for yourself – run a scan on your code right now

Get a demo

By Lukas Seidel

Coding in dynamic languages like JavaScript and Python is fun and allows for fast iterations, but it comes with a cost. Without proper type information, developers are missing out on the ability to catch bugs early and get helpful IDE support. But the absence of properly typed variables makes life tricky not only for the people writing the code but also for security professionals and automated static analysis tools.

Enter CodeTIDAL5: The Game-Changer

We’ve built CodeTIDAL5, a Transformer-based machine learning model that predicts type annotations for JavaScript and TypeScript and fills in type information where it is missing. It beats the current best models by 7.85%, clocking an overall 71.27% accuracy rate. Unlike most approaches, it shines where type inference is most needed: in predicting user-defined types. We use CodeT5+ [1] as the base for our Large Language Model and fine-tune that on vast amounts of annotated TypeScript code. By learning how developers write their code, how they name their functions and variables and how they use their objects, the model builds an understanding of what kind of syntax implicates what types.

JoernTI: The Perfect Integration Our model doesn’t just sit in a lab; it’s integrated into Joern, our popular open-source static analysis tool and foundation of securing your applications. This combination, known as JoernTI, lets you use the inferred type information in your static analysis tasks, contributing to more effective and comprehensive results.

The Takeaway

  • CodeTIDAL5 offers state-of-the-art type inference, especially for user-defined types
  • JoernTI integrates this into practical static analysis workflows
  • Our approach significantly improves dataflow recovery, giving you a more complete understanding of your code’s behavior

Academic Publication Our work was accepted at the peer-reviewed 28th European Symposium on Research in Computer Security (ESORICS) in The Hague, one of the top cybersecurity conferences in the world, where we will present our results from the 25th to the 27th of September.

For those wanting to dive deeper, check out the full preprint of our academic paper where we get into the details of how we achieved these advancements: https://davidbakereffendi.github.io/assets/pdf/preprint_6676_ESORICS23.pdf

Or check out our reference implementation and try out JoernTI today! https://github.com/joernio/joernti-codetidal5

[1] https://github.com/salesforce/CodeT5

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AI Cybersecurity Engineering
July 28, 2023 5 min to read

What Are AI Hallucinations and How Could They Impact Soft...

by Gary Davis

We all do it. When we are recalling a story or something that happened in our lives, we fill in the “fuzzy” areas with what we believe to be the truth. It’s human nature to embellish somewhat or simply fill in the blanks with what could be facts based on our recollection, but often are […]

READ MORE
AI AppSec Cybersecurity Engineering
July 13, 2023 3 min to read

The Pros and Cons of Using Generative AI to Automatically...

by Gary Davis

Software engineers’ ideal state includes being able to work with minimal disruption. This “flow state” is when they are most productive and have the best chance of delivering the products and features they are tasked with producing within the required timeline. Whenever something adversely impacts their flow state productivity, mental health, and overall effectiveness may […]

READ MORE
AI AppSec Cybersecurity
May 25, 2023 3 min to read

What ChatGPT Actually Means for Developers

by Stuart McClure

I couldn’t walk five feet at RSA recently without someone asking me about ChatGPT. The questions all boiled down to “ChatGPT—is it bad, really bad, or just plain horrible?” ChatGPT is all of these things, and at the same time it is none of them. ChatGPT is only what we make of it. Like any […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
October 16, 2023 3 min to read

Business Logic Flaws – the Software Underbelly Hack...

by Brian Lee

It started as a well-intentioned plan to help businesses access real-time tracking data to provide better service to their customers.  The “Informed Visibility System” by the USPS started off with great intentions, but unfortunately rolled out the red carpet for cyberciminals, exposing sensitive data on 60 million users. The business team found a need and […]

READ MORE
AI Cybersecurity Engineering
July 28, 2023 5 min to read

What Are AI Hallucinations and How Could They Impact Soft...

by Gary Davis

We all do it. When we are recalling a story or something that happened in our lives, we fill in the “fuzzy” areas with what we believe to be the truth. It’s human nature to embellish somewhat or simply fill in the blanks with what could be facts based on our recollection, but often are […]

READ MORE

See for yourself – run a scan on your code right now

try it for free
log in
Newsletter Sign Up

Stay informed of the latest news and critical events in AppSec space:

Twitter Linkedin Github
About
Platform Overview
Platform Components
Resources

© 2024 Qwiet. All rights reserved.