Welcome back to our five-part series on client-side security approaches. For those of you who are new to this series, there are five approaches to client-side security:
- Web Application Firewalls
- Content Security Policy
- Penetration Testing, Vulnerability Assessments and Security Assessments
- Client-side Vulnerability Scanning
- JavaScript Security Permissions
In this blog I’m going to cover the use and limitations of vulnerability scanning for client-side security. Let’s start with the absolute basics. First, let’s take a deeper dive into a few key questions. (If you are a seasoned security expert, please skip ahead.)
What is a (Software) Vulnerability?
Simply put, a software vulnerability is an error or defect in software. Threat actors and hackers love to scan networks, systems, applications, and software to find vulnerabilities so that they could perhaps use them to gain control of the system or software. Vulnerabilities stem from the way the software is designed. For example, there could be a flaw in the way the application or software was coded, errors could have appeared in a software update or release unexpectedly, or code errors could have been injected inadvertently when first- or third-party code was added to the software or application.
Why is JavaScript Vulnerable?
JavaScript, like many other (coding) languages, wasn’t designed with security in mind. Being able to protect JavaScript is something that we are now having to reckon with given the explosion of usage in all modern digital applications. JavaScript vulnerabilities have become a favorite for threat actors given the ease with which it can be exploited and leveraged for more advanced attacks like digital skimming. To learn more about why JavaScript is vulnerable, check out the blog Love It or Hate It, JavaScript is Here to Stay.
What is Vulnerability Management?
Vulnerability management is the continuous process of identifying, analyzing, prioritizing, and remediating weak points in an organization’s cybersecurity posture. Vulnerabilities include potential exposures or risks that need to be mitigated to ensure threat actors cannot exploit them to access the network for malicious purposes.
What can Vulnerability Scanners do?
There are quite a few vulnerability scanning products on the market today, many of which have been around for a long time. These tools are designed to scan and assess computers, software, applications, servers, and networks to uncover known weaknesses (a.k.a. vulnerabilities) that could be used for malicious purposes by hackers. Vulnerability scanners are used to identify and detect vulnerabilities arising from misconfigurations or flawed programming within network-based assets such as firewalls, routers, web servers, application servers, and more.
Cybersecurity teams deploy vulnerability scanners to find potential inroads hackers could use to breach their networks and defenses. Once a vulnerability has been found, vulnerability management and security teams then patch the vulnerabilities with software updates. If vendor software updates are not available, security teams find ways to reduce the potential harm or cyber risk they might incur if a hacker attempts to breach their network using the vulnerability as their entrypoint.
What Limitations do Vulnerability Scanners Have When Used for Assessing Client-side JavaScript?
Vulnerability scanners are designed to scan back-end code and systems, typically those digital assets that live on the server side. They aren’t able to detect and enumerate all JavaScript scripts and vulnerabilities. To be blunt they just can’t see them. Vulnerability scanners can only see the client-side after it’s been compiled together, not in real time. Vulnerability scanners also can only see a single domain, not all of the links that are part of it. Check out the examples below.
What Typical Vulnerability Scanners are Able to See and Scan
Traditional vulnerability scanners are more closely related to bots than they are to humans. As such, there are several “human like” actions they cannot replicate, therefore they do not detect client-side threats in their entirety. In this example only a few JavaScript items are detected. The screenshot below shows this in a very simple way. A vulnerability scanner will only pick up a handful of active scripts.
What Client-side Security Technologies (Like Feroot Inspector) are Able to See and Scan
Client-side security technologies, like Feroot Inspector, use synthetic user actions to replicate actual user behavior on a webpage, including the ability to execute custom user journey scenarios. Similar to the image below, client-side security technologies are able to pick up more than 50 active scripts. Needless to say, there is a massive detection gap that leaves businesses vulnerable to client-side cyber attacks.
Are Vulnerability Scanners Useful for Client-side Security?
Vulnerability scanners are a necessary technology of any cybersecurity program. However, they are not useful for client-side security. Vulnerability scanners are not designed to support client-side security efforts. Feroot Security Inspector was built to scan JavaScript web applications and web sites. Inspector sees all scripts, network requests, and resources in each scan. Since JavaScript is so easy to manipulate, threat actors can move very fast when manipulating them or hijacking them for malicious purposes. Our technology continuously scans client-side web applications and websites, and alerts on issues immediately. Furthermore, our Feroot Security PageGuard product deploys JavaScript security permissions, so that hackers can’t exfiltrate data. Security teams can rest easy that their client-side applications are protected, and they can fix vulnerabilities and issues when they are ready, not under duress. If you want to see our solutions in action, you can request a demo here.
Next Steps
Please do not rely on vulnerability scanning to uncover vulnerabilities on your client-side. Organizations need to consider additional client-side security measures, such as automating their client-side security with purpose-built technologies. Implementing effective client-side security is crucial. If you are on the long arduous journey to build a client-side security program, check out our blog over the coming weeks. I have covered four of five client-side security approaches. (Click to read the earlier blogs on WAFs, CSP, and pentests & security assessments.) In the next installment, I will outline the JavaScript Permissions approach, which can help you secure your client-side web applications effectively and efficiently.