How TypeScript Helps You Shift Left – InApps 2022

We all know that we should be shifting security left and fixing bugs early in the software development life cycle (SLDC), but how do we do that? One way is to use tools that allow developers to find and fix code issues before they commit their code. For developers working with JavaScript, one such tool is TypeScript.

TypeScript is an open source programming language developed by Microsoft that compiles to JavaScript. Released in 2012, it’s now the fourth-most-used language on GitHub. Although TypeScript and JavaScript are two separate programming languages, TypeScript is a superset of JavaScript. This means that all valid JavaScript code is also valid TypeScript code. TypeScript was developed to make building enterprise-level web applications easier and more secure.

Why is TypeScript More Secure than JavaScript?

TypeScript is both a strongly typed and a statically typed language. Strongly typed languages require explicit declarations to convert or compare between types. Strongly typed languages are more secure than weakly typed ones because they require an extra step to convert between languages. This means, for instance, that they won’t allow you to change a character into a number, which can help prevent errors like CWE-704 Incorrect Type Conversion or Cast.

TypeScript is also a statically typed language, which means that it checks types at compile. A dynamically typed language like JavaScript checks types at runtime. Moving these checks left to the compile stage means that TypeScript can find type errors before they are propagated into the program, preventing exploitable vulnerabilities from reaching a production application.

Why is Shifting Left Important?

When we start with the idea that every business is a software business, it becomes clear that software risk is business risk. That’s why it’s imperative to build trust into your software from the start. Moving security earlier in the development process and building security checks in along the way (“shifting left”) recognizes the importance of security and makes more people responsible for its implementation.

Shifting left means that developers need to be aware of the security implications of their code, instead of outsourcing that responsibility to a separate security team. Security teams will still perform a prelaunch review and any remediations required, but that process will be far less time-consuming if security has been baked in from the beginning.

Solutions to Help You Build Trust in Your Software

Adding TypeScript to your development process can increase the trust you’re building into your software by enforcing more secure coding earlier in the process. However, like any tool, when used incorrectly, TypeScript can have security issues. That’s why it’s critical to add application security-testing tools that support security-optimized languages to your toolbox as well.

While TypeScript can increase the security of your development pipeline, adding a testing tool like Synopsys Coverity can shift security left in the SDLC and support the workflows and timelines of your developers. By adding tools that developers want to use, you can be sure that you’re having a real, tangible impact on your security posture.

Photo by Leah Kelley from Pexels.