Welcome back to our five-part series on client-side security approaches. For those of you who are new to this series, there are five approaches to client-side security:
- Web Application Firewalls
- Content Security Policies
- Penetration Testing and Security Assessments
- Client-side Vulnerability Scanning
- JavaScript Security Permissions
In this blog I’m going to cover the use and limitations of pentesting, vulnerability assessments and security assessments for client-side security.
What is Penetration Testing?
A penetration test, more commonly referred to as a “pentest”, is a deliberate cybersecurity attack designed to uncover weaknesses and vulnerabilities across an organization’s security controls. Companies either use internal red teams to carry out these attacks or hire an external security service provider that specializes in penetration testing. During the pentest, red teams attempt to enumerate and infiltrate their target’s digital infrastructure, networks, and endpoints. Once vulnerabilities have been identified, pentesters try to mimic threat actor tactics, techniques, and procedures (TTPs) to forage deeper into their target’s systems and networks. The final output of the pentest is a report that outlines what security gaps exist and what needs to be addressed to secure the business from cyberthreats.
What is a Vulnerability Assessment?
A vulnerability assessment is a systematic analysis and review of security weaknesses in a technology, system, application, or network. During these assessments a security analyst will determine if the system is susceptible to any known or exploitable vulnerabilities, assign severity levels to them, recommend remediation or mitigation, and prioritize the order in which remediation must occur based on the severity level.
What is a Security Assessment?
Unlike pentesting and vulnerability assessments, which are focused on the tools and technology, security assessments are more concerned with process, governance, and compliance. If you want a quick and dirty response to this question, it’s pretty simple. It’s an evaluation of your tools, applications, websites, and technologies, and how they are used to determine if they are secure from cyber risks and threats. Security assessments identify and evaluate if your business has the proper security policies and controls in place across all of your assets within and outside of your security perimeter. The end result of a security assessment should be deep insights into the security gaps of your organization, aligned to both your overall security program and a governance model (e.g. NIST). The undertones of the report should also provide a risk level of your organization in its current state. Generally speaking security assessments are a core piece of any organization’s risk management process.
Security assessments can be performed by consultants or internal teams. It depends on how mature the organization’s processes and security teams are. Consultants and security analysts who perform assessments conduct in-depth audits of the organization’s defensive measures against various attack methods used by threat actors – internal (insider threat and human error) or external (hackers trying to breach the business via client-side or server-side attacks).
What is Tested During a Client-side Security Assessment?
Client-side security assessments are actually quite uncommon at this point in time. This is a huge problem with the rise of client-side attacks like cross-site scripting, formjacking, and Magecart. Given the increased use of front-end frameworks, libraries, and third-party tools, it’s time for organizations to expand the scope of traditional security assessments and testing to include the client-side attack surface of their websites and web applications.
Client-side security assessments are tedious if done manually. There are five categories of questions a consultant or security analyst needs to answer to uncover potential client-side issues and their associated risks. These questions include:
- What client-side assets do we have?
If you don’t know what you have, you can’t protect it. The first step in a security assessment is to inventory all webpages, web applications, landing pages, forms, payment forms, marketing trackers, and other client-side assets that might pose a risk to the business if corrupted.
- What technologies do we use? What first- and third-party code are we using? What does our JavaScript supply chain look like?
This is critical. Websites today are assembled in real-time using a variety of protocols, connections, and data sources. Businesses must have an inventory of what each web page and web application is made up of. Assessors need to have a full picture of all their scripts, where they are loaded, how they are loaded, and how they interact with other JavaScript code across the client-side. The easiest way for threat actors to steal protected data is by corrupting third-party JavaScript. Without continuous testing of your client-side you might never see that they have breached your JavaScript supply chain and are stealing customer information.
- Who has access to our data (in real-time)?
Once you have a list of your assets and the associated technologies, it’s time to start looking into who has access to them (and what type of access). Are third parties reading all of our customer data during every form submission? How are we protecting our user’s privacy? Being able to shape (data access) insights across the client-side is the next big step in being able to protect the client-side.
- Are we in the midst of an attack right now?
Once you have a full inventory of your client-side pages, applications, and the code you use, it’s time to see if your client-side web assets are only doing what you want them to be doing… ahem… data you are collecting is only being collected by you and isn’t being sent to a threat actors command and control (C2) domain in Uzbekistan. You want to look at your keyloggers, your websockets, any anomalous behaviors, and if there is any data transfer to unauthorized countries or servers, etc.
- What needs to be fixed now?
Once the security assessor has inventoried your client-side assets and the code used to build and maintain them, and have uncovered potential breaches and exploited vulnerabilities, the assessor should provide a detailed report on what the organization’s security team should do to secure the business. Client-side security assessments should point out:
Security configuration gaps:
- Current access controls – Who currently has access to what and how to limit access to ensure only authorized individuals can modify or utilize client-side assets.
- Overly permissive access – Clear recommendations on how to deploy a Zero Trust approach to client-side web applications and websites to reduce the risk of tampering. Help the business ensure who has full access, read only access, and data transfer access.
Malicious elements:
- Malicious hosts – Are any malicious hosts actively stealing data? What can be done to fix this issue?
- Malicious scripts – Is the business currently using any first- or third-party script that has been corrupted and is exfiltrating data or modifying the web page or application in any way? What can be done to fix this issue?
Vulnerabilities:
- Exploited Vulnerabilities – Are there any known vulnerabilities currently being exploited? Is there a patch available to fix these vulnerabilities and which ones are the most critical to patch?
- Other Vulnerabilities – Are there any known vulnerabilities that we can patch proactively to reduce client-side cyber risk? Is a patch available and how critical is it to patch the vulnerability now?
What Pentesting, Vulnerability Assessment and Security Assessment Limitations Exist?
Typically, pentests, vulnerability assessments and security assessments are performed as short-term projects that are repeated on a quarterly or annual basis. Finding good pentesters is hard and they demand a high wage because of the specialized skill set and experience they possess. Many organizations hire a managed security service provider (MSSP) to conduct the pentest.
Let’s assume that a penetration test or assessment is 100% accurate and provides actionable results. That’s great. However, results are a snapshot in time, which means hackers have the ability to execute attacks between quarterly or annual assessments. Additionally, hackers are always looking for new vulnerabilities to exploit and likely will know about new exploits before a pentest has been completed. Relying on quarterly or annual vulnerability assessments is a great start, but companies still remain exposed to breaches. Ultimately, threats and cyber threat actors can move much faster than any company.
Penetration tests and assessments also present limitations because they:
- Are time and resource intensive.
- Are limited in scope to certain applications, technologies, and networks.
- Require a very skillful consultant, tester, or employee with a high level of skill and know-how to be successful.
- Rely on the use of specialized tools and technologies to uncover vulnerabilities and threats.
Are Pentests, Vulnerability Assessments and Security Assessments Right for Me?
Yes! Yes they are! They are a necessary aspect of any cybersecurity program. But keep in mind that they are not continuous. The information gleaned during a pentest or assessment represents only those issues that exist at that moment, and there might be a laundry list of new vulnerabilities and issues that a different pentest or assessment will uncover in a week or a month. Threat actors move faster than any government or business. To stay ahead of the threat, you need more than a period-in-time pentest or vulnerability assessment.
Next Steps
In addition to pentest and assessments, organizations supporting client-side activities need to consider additional security measures, such as automating their client-side security. Implementing effective client-side security is crucial. If you are on the long arduous journey of digital transformation, because let’s face it who isn’t, check out our blog over the coming weeks as we explore the various attack vectors the client-side is bringing to end users. I have covered three of five client-side security approaches. Check out my earlier blogs on WAFs and CSP. In the next installment, I will outline the client-side vulnerability scanning approach, which can get you closer to securing your client-side web applications, but still is quite limited in scope.
