Client-side security is its own universe. In most cases it requires an awful lot of manual work to ensure application security in this space. The client-side, web browser front end is a different attack surface than other web application interfaces. Just like in optimized application security, client-side security requires a completely new point of view, approach, and skills. For many, these concepts are not yet well understood. In this blog, we’ll explore what components of a client-side security risk management will help reduce potential “backdoor” risk.
Background
Client-side JavaScript code often runs on unmonitored devices where security flaws create potential backdoors that can be leveraged by malware and malicious actors. These attacks are intended to capture data during the end-user experience on the client-side browser and exfiltrate it to an attacker’s servers without being detected. This makes hardening and protecting the client-side against skimming breaches critical.
The hardening process itself is multifaceted, with one of the first key steps being an understanding of what is at stake and an examination of the risk management processes and procedures currently in place.
Understand and Prioritize Client-Side Security Risks
As businesses begin to examine the risks associated with skimming attacks, it is critical to understand and prioritize data and assets, as well as quantify the financial and reputation impacts of an attack or breach. Here is a list of data, assets, and potential issues to assist with the client-side security risk management process:
- Payment card data
- Authentication and authorization credentials
- Financial records
- Customer personally identifiable information (PII)
- Patient personal health information (PHI)
- Settlements, legal costs, judgments and litigations
- Fines, penalties, and fraud losses
- Termination of accepting payment cards
- Diminished sales and lost revenue
- Going out of business
- Cost of reissuing new payment cards
- Higher future costs of compliance
- Implications of a recent web application breach
- PCI compliance-related, forensic investigation costs and associated fines, penalties and liabilities
- Costs associated with remediating breach related vulnerabilities
- Applicable CCPA, GDPR, and other privacy regulations
- Brand damage
- Impact on business continuity
- Lost employee productivity
Identify Potential Backdoors
Front-end code, aka ‘the digital user experience,’ can actively ingest customer/user information at data input points including login and financial transaction forms, or any other web forms where organizations are processing sensitive user data.
Web development continues to move software logic to the client-side of web applications. Web applications increasingly execute both dynamically loaded and externally controlled JavaScript code into user web browsers. Dynamically loaded third-party scripts dramatically increase code variability while nearly eliminating event change controls. Increased variability and reduced controls mean a growing probability of compromise. Meaning, that every script, third-party and open source library can open a backdoor.
- Are you aware of every backdoor?
- Do you know what is flowing through these backdoors?
- Can you lock and control backdoors?
Risk Management Frameworks
When examining risk, it helps to apply a risk management framework. By leveraging risk management frameworks, you can be confident that your approach is structured, measured, and complete. Some of the most popular governance, risk, and compliance (GRC) frameworks to consider are OWASP, CIS, NIST, or MITRE ATT&CK. The benefit of a framework is that you know if something is missing.
The Importance of Visibility
Security starts with visibility. With a risk management framework in place, organizations need to understand the root causes of risk by breaking down any larger problems into smaller ones. It helps to ask these questions:
- What assets do you have?
- Who has access to those assets?
- What is being done to these assets?
- What controls and protections are in place?
- Are controls effective and has anyone tampered with them?
- What happens if your web application has been breached recently?
- What will be the PCI compliance-related forensic investigation costs and associated fines, penalties and liabilities?
- What will be the cost of remediating breach related vulnerabilities?
- Are CCPA, GDPR and other privacy regulations applicable? What are those related potential costs?
- What about lost revenue? How critical is it in terms of brand damage?
- Will business continuity or employee productivity be impacted?
The Goals of a Root-Cause Approach
It is important to develop a thoroughly optimized method to identify the root cause or reason behind a given problem. Conversely, it is equally important to not just examine surface issues or the symptoms of the problem. The root-cause method helps businesses discover what is really causing the problem and remediate any associated critical issues.
In determining a method, the approach should be flexible, platform-agnostic and business-friendly. It should also be continuous and comprehensive enough to make it effective, efficient, and to help prevent future mistakes and missed vulnerabilities.
The Building Blocks of Client-Side Security
Because the client-side code dynamically changes for each user session, client-side vulnerability inspection must include all JavaScript code loaded by the browser during user journeys. This includes code loaded by the first party web application servers as well as any code loaded from external third-party sources. Considering all elements of the client-side browser code will enable you to determine the security posture of the client-side and obtain a comprehensive list of vulnerabilities in this environment. An solid methodological approach to tackle front-end security problems will involve the following:
- Vulnerability Management—Penetration tests and security vulnerability assessments help diagnose immediately addressable vulnerability issues. However, additional scrutiny should be applied to runtime client-side code. This will help to accurately and precisely discover such vulnerabilities and provide actionable information.
- Content Security Policy (CSP)—Includes the introduction of security controls to enable a business to operate flexibly without hindering business operations or introducing risk.
- Web Application Firewall (WAF)—WAF implementation should become part of the operation and embedded into the runtime as well. However, there is also a need to secure the client-side at the browser level and while being platform agnostic.
- Secure Software Lifecycle Cycle (SDLC)—The secure SDLC should include tools that monitor and help manage change control over the entire software development lifecycle. In addition, a critical objective is to also monitor and manage in-house developed Javascript code and third-party code, regardless if such code is loaded from servers under your control or dynamically loaded from third-party servers.
- Third-party & Supplier Risk Management—The goal is effective management of third-party related vendor risk to critical IT and data assets. Potential solutions need to address third-party technologies in real-time and at the browser-level of every user session. Once again, it should do so with no adverse impact on user experience and browser performance.
Feroot creates a sustainable security program operation with a continuous scanning and real-time protection and monitoring of the client-side (front end) surface area that is proactive, autonomous, and accurate. Feroot Security believes that customers should be able to do business securely with any company online, without risk or compromise. Our mission is to secure client-side web applications so that our customers can deliver a flawless digital user experience to their customers.