Enterprise JavaScript and Obfuscation: Opportunity and Risk Mitigation

CB

Chris Berg

12/09/2021

Enterprise JavaScript
Enterprise JavaScript

Spoiler alert: this post will not declare all the virtues of the JavaScript language, such as its async programming model, node package management (npm), Node.js, client frameworks, or IDE support. But to quickly define what “enterprise JavaScript” means to me, the descriptor “enterprise” has a lot to say about the companies and organizations using the language as both a platform and a strategic investment in consumer engagement.

Consider the lineup of industries grappling with a need to engage at scale and speed with a digital-first customer base, all while needing to comply with complex regulations and manage ever-changing business logic. For lending, insurance, banking, healthcare, and government agencies, the fact is many large enterprise organizations cannot ignore JavaScript as part of their digital transformation strategy, nor can they avoid thinking of it, too, as a risk that must be managed.

For these highly regulated organizations and enterprises like them, having the same business logic reliably execute the same way – whether as a service or embedded in a self-service app – has become critical to their strategy of delivering compliant, personalized engagement at scale. Our no-code decision automation technology, combined with our JavaScript distribution service, allows non-developers, data scientists, and subject matter experts to quickly and simply add, change, and tweak business rules effortlessly, without even knowing how to write a line of JavaScript.

The resulting JavaScript files are minified and obfuscated and can quickly be deployed like any other .js file, running anywhere an ECMAScript engine is available.  This means complex, proprietary business logic execution can occur client-side, server-side, or at the edge—with the applications that depend on this complex logic able to execute it in process, anywhere. In fact, ease of use and agility are driving factors behind why we’re seeing more enterprises add on to their investment in our decision platform by adding our JavaScript distribution service to their licensing.

These enterprises know the benefits JavaScript delivers – performance, responsiveness, versatility – can directly impact revenue capture at all stages of an engagement funnel.  JavaScript-driven web and mobile applications attract customers attuned to beautiful UI and simplicity ranging from build-your-own product experiences, to gamified customer loyalty programs, or even applying for and getting a loan.  And at the same time, it can introduce a new level of risk; many of these applications are transparent enough for knowledgeable developers to reverse-engineer what’s running in the browser.

The push toward performance often brings more logic, including business rules and proprietary calculations, to the front end. And as with anything, this has the potential to add exposure to prying eyes. Moreover, today’s companies are more directly engaging with developers beyond just publishing a public API. For example, many publish public code repositories, yet still want to protect some IP.  And in other cases, security and/or compliance initiatives may require enhanced IP protection within parts of an organization.

The Need for Obfuscation

Indeed, there is value in the obfuscation when rendering JavaScript-based rule applications.  However, we also know many enterprises have already chosen to license purpose-built tools, like Jscrambler, to deliver additional, enhanced obfuscation as part of their overall application delivery pipelines.

JavaScript Obfuscation
JavaScript Obfuscation

Introducing the Latest Integration: Jscrambler

For this reason, we are pleased to announce the availability of a new helper automation in our decision DevOps solution announced earlier this year, CI/CD for irCatalog. With this new feature, users can automate the generation of JavaScript-based decisions and then add enhanced obfuscation with Jscrambler as a configurable step as part of their pipeline to augment the protection of their valuable IP.

As always, please let us know what you think in the comments below, and happy JavaScripting!