Client-side security is its own universe. In most cases it requires an awful lot of manual work to ensure application security in this space. The client-side, web browser front end is a different attack surface than other web application interfaces. Just like in optimized application security, client-side security requires a completely new point of view, approach, and skills. For many, these concepts are not yet well understood. In this blog, we’ll explore what components of a client-side security risk management will help reduce potential “backdoor” risk.
The hardening process itself is multifaceted, with one of the first key steps being an understanding of what is at stake and an examination of the risk management processes and procedures currently in place.
Understand and Prioritize Client-Side Security Risks
As businesses begin to examine the risks associated with skimming attacks, it is critical to understand and prioritize data and assets, as well as quantify the financial and reputation impacts of an attack or breach. Here is a list of data, assets, and potential issues to assist with the client-side security risk management process:
- Payment card data
- Authentication and authorization credentials
- Financial records
- Customer personally identifiable information (PII)
- Patient personal health information (PHI)
- Settlements, legal costs, judgments and litigations
- Fines, penalties, and fraud losses
- Termination of accepting payment cards
- Diminished sales and lost revenue
- Going out of business
- Cost of reissuing new payment cards
- Higher future costs of compliance
- Implications of a recent web application breach
- PCI compliance-related, forensic investigation costs and associated fines, penalties and liabilities
- Costs associated with remediating breach related vulnerabilities
- Applicable CCPA, GDPR, and other privacy regulations
- Brand damage
- Impact on business continuity
- Lost employee productivity
Identify Potential Backdoors
Front-end code, aka ‘the digital user experience,’ can actively ingest customer/user information at data input points including login and financial transaction forms, or any other web forms where organizations are processing sensitive user data.
- Are you aware of every backdoor?
- Do you know what is flowing through these backdoors?
- Can you lock and control backdoors?
Risk Management Frameworks
When examining risk, it helps to apply a risk management framework. By leveraging risk management frameworks, you can be confident that your approach is structured, measured, and complete. Some of the most popular governance, risk, and compliance (GRC) frameworks to consider are OWASP, CIS, NIST, or MITRE ATT&CK. The benefit of a framework is that you know if something is missing.
The Importance of Visibility
Security starts with visibility. With a risk management framework in place, organizations need to understand the root causes of risk by breaking down any larger problems into smaller ones. It helps to ask these questions:
- What assets do you have?
- Who has access to those assets?
- What is being done to these assets?
- What controls and protections are in place?
- Are controls effective and has anyone tampered with them?
- What happens if your web application has been breached recently?
- What will be the PCI compliance-related forensic investigation costs and associated fines, penalties and liabilities?
- What will be the cost of remediating breach related vulnerabilities?
- Are CCPA, GDPR and other privacy regulations applicable? What are those related potential costs?
- What about lost revenue? How critical is it in terms of brand damage?
- Will business continuity or employee productivity be impacted?
The Goals of a Root-Cause Approach
It is important to develop a thoroughly optimized method to identify the root cause or reason behind a given problem. Conversely, it is equally important to not just examine surface issues or the symptoms of the problem. The root-cause method helps businesses discover what is really causing the problem and remediate any associated critical issues.
In determining a method, the approach should be flexible, platform-agnostic and business-friendly. It should also be continuous and comprehensive enough to make it effective, efficient, and to help prevent future mistakes and missed vulnerabilities.
The Building Blocks of Client-Side Security
- Vulnerability Management—Penetration tests and security vulnerability assessments help diagnose immediately addressable vulnerability issues. However, additional scrutiny should be applied to runtime client-side code. This will help to accurately and precisely discover such vulnerabilities and provide actionable information.
- Content Security Policy (CSP)—Includes the introduction of security controls to enable a business to operate flexibly without hindering business operations or introducing risk.
- Web Application Firewall (WAF)—WAF implementation should become part of the operation and embedded into the runtime as well. However, there is also a need to secure the client-side at the browser level and while being platform agnostic.
- Third-party & Supplier Risk Management—The goal is effective management of third-party related vendor risk to critical IT and data assets. Potential solutions need to address third-party technologies in real-time and at the browser-level of every user session. Once again, it should do so with no adverse impact on user experience and browser performance.
Feroot creates a sustainable security program operation with a continuous scanning and real-time protection and monitoring of the client-side (front end) surface area that is proactive, autonomous, and accurate. Feroot Security believes that customers should be able to do business securely with any company online, without risk or compromise. Our mission is to secure client-side web applications so that our customers can deliver a flawless digital user experience to their customers.