Browser-side security — the blindspot you need to prioritize
An unfortunate truth of doing business online today — attackers will try to break into your web apps. It’s only a matter of time. In fact, according to research, a new online attack occurs every 39 seconds. Hardly a week goes by without another organization making headlines with the disclosure of a data breach affecting thousands, sometimes millions, of people across the globe.
The scale and scope of today’s attacks are staggering. Juniper Research predicts that 146 billion records will be compromised by 2023 as a result of data breaches. In the first half of 2019 alone, 4.1 billion records were stolen with at least three breaches making the list of top 10 largest breaches of all time. It’s no surprise that CEOs and other business leaders consider cybersecurity as the biggest threat to the world economy.
Attackers are finding new ways to infiltrate organizations — and they aren’t slowing down. As the attack surface widens and the security perimeter extends, attackers are finding more weaknesses to exploit that enable to them to break into systems and steal data.
JavaScript is key to modern web development
You would be hard pressed today to find any website or web app that has not been built, at least in part, using JavaScript. There are over 1.7 billion public-facing websites in the world and JavaScript is used on 95 percent of them.
JavaScript provides many benefits for web development, including the ability to deliver dynamic content, present a rich and immersive experience, and transform what would normally be static web pages into true applications. This has led to its immense popularity (it’s the top programming language on Github) and the rise of numerous open-source JavaScript libraries and frameworks which contain pre-written code that can be used to speed up development.
While JavaScript is an incredibly powerful language that can boost development potential, it also has a flaw that makes it incredibly vulnerable when it comes to security.
Why web application firewalls fail to protect your apps from web skimming attacksRelated Ebook
What makes client-side JavaScript an easy target?
JavaScript is able to access, modify, and remove any element on any page where it is used — including UI elements, storage assets, and other important resources. As a result, JavaScript, whether first-party code written internally or sourced from a third-party, has complete access to a web page. In addition, it is executed at runtime in the browser beyond the traditional security perimeter. There is no easy way for website owners or visitors to know when a script has been tampered with, meaning a script could be opening popups, redirecting visitors to malicious domains, changing page content, or skimming sensitive data on a page without raising any flags.
As a result, attackers are turning their attention and focus to browser-based threats like web skimming that enable them to leverage the biggest blindspot in most organizations’ security postures — the browser.
Zero-trust JavaScript access is the best way to protect your customers’ data
Unauthorized client-side modification of JavaScript, whether first-party or code from third-party vendor, is completely invisible to IT security teams. In addition, modern browsers offer very little control over what scripts are able to access — all scripts are treated the same regardless of whether they come from the same website or another location entirely. If a bad actor tampers with a script so that it is able to collect and send data somewhere else, a security team won’t be notified.
For example, in the case of e-skimming attacks like those carried out at Macy’s and British Airways, malicious code was only discovered after it had done damage. Attackers were able to successfully place skimmers without detection, exfiltrating data immediately for several days before they were discovered. Without the proper controls in place in the browser, there’s nothing to stop scripts, regardless of whether it’s an internal or external script, from accessing sensitive personal data.
The best defense against browser-based JavaScript attacks is to prevent all scripts from unauthorized access of sensitive data. A zero-trust approach effectively disarms the threat without having to rely on weaker detection methods. After all, attackers can’t steal information they can’t see.
Instart Web Skimming Protection intercepts all API calls from any JavaScript in the browser and automatically blocks access to all HTML form fields and cookies, unless they have been given explicit permission. This approach prevents any script, whether malicious, infected, or non-critical, from gaining access to sensitive customer data and protects your apps, your customers, and your brand from a breach.
Businesses can no longer operate with prevention as the mainstay of their web security strategies. Speeding up detection and mitigation of attacks will be key going forward, as well as making sure you can protect your data — even in the event of a breach.
Protect your website from browser-side threats like web skimming attacksGet a FREE 30-day trial
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Elle Poole Sidell. Read the original post at: https://www.instart.com/blog/browser-side-security-blindspot
