This is it. Blog number five in my series on client-side security approaches. If you have managed to stick with me through the entire series, thank you! If this is the first blog you have come across, welcome! For those of you who are new to this series, I covered the following five approaches to client-side security:
- Web Application Firewalls
- Content Security Policy
- Penetration Testing, Vulnerability Assessments, and Security Assessments
- Vulnerability Scanning
Second Step: What are permissions?
Types of permissions include the applications ability to:
- Access features on the user’s machine (such as their camera or mic).
- Review and collect personal data (such as private identifiable information, data entered into forms, IP address, location data).
- Grant rights to modify the functionality of the application or software.
In short, PageGuard monitors and responds to browser-level security events in real-time by auto-instrumenting itself on every website and by applying security configurations to every user browser session. I assure you, it’s not too good to be true.
There are none. If an application development or security team deploys JS security permissions on all of their client-side pages and applications, then third-party JS code can’t be tampered with and data can’t be exfiltrated by threat actors. Coupled with proactive scanning of client-side assets, application security and cybersecurity teams will receive alerts with context, to repair client-side security issues, all while being protected.
We have now reached the end of my five part blog series. Let’s recap our journey real quick. Here’s a brief overview of the top five client-side security approaches and their limitations.
Web application firewalls can’t protect businesses from:
- Sophisticated skimming malware
- Drive-by skimming
- Supply chain attacks
- Sideloading attacks
- Chainloading attacks
Content security policies come with weaknesses that expose businesses to e-skimming breaches. These include:
- Excessive “allow list” rules or whitelisting
- CSP bypass techniques
- Incorrect CSP implementation
- CSP implementation tradeoffs
Pentesting, vulnerability assessment & security assessments have some strong limitations. They are:
- Time and resource intensive
- Limited in scope to certain applications, technologies, and networks
- Require a very skillful penetration tester with a high level of expertise to be successful
- Rely on the use of specialized tools and technologies to uncover vulnerabilities and threat
Vulnerability scanners are not well suited for client-side security because they:
- Are designed to scan server side assets, not web applications and websites
- Can only see a single domain, not all of the links that are part of it
As discussed in the first blog of the series “Everything You Need to Know About Web Application Firewalls”, implementing effective client-side security is crucial to ensure the safety of your customer data, the integrity of your user experience, and the functionality of your web applications and websites. Having a safe and secure digital presence is the core tenet that drives your businesses ability to grow and succeed. If you are on the long arduous journey to build a client-side security program, I encourage you to check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers being able to execute JS attacks. If you would like to see our products in action, please request a demo.