Today, businesses live or die by their digital presence. Crafting the best digital experience means putting the end user first, which requires a delicate balance of technology and innovation. To achieve this balance, businesses make use of third-party code, tools, and cloud services combined with their own technology to drive down time to market. As a result, most modern web applications are a culmination of first-party and third-party technologies delivered from the cloud. While this has led to some really amazing digital experiences for users, it also has opened the floodgates to new attack vectors on the client-side of web applications. Where security practitioners have traditionally had to focus heavily on back-end security controls and protections, there is now a whole new attack surface that they are responsible for. Many of the existing web application or vulnerability scanners struggle to address this gap because they were built at a time when the client-side or front-end attack surface was very small and the majority of web applications were delivered from back-end services. One way that Feroot is addressing this gap has been through the use of synthetic users to enhance security.
What Is a Synthetic User and How Does it Help Security?
Simply put, a synthetic user is a blend of human and bot behavior to create the most human-like experience possible when interacting with a website or web application. This means striking a balance between understanding what humans process (visually) and what bots process (logically).
Let’s look at some of the differences between humans and bots today.
Human Users
Human interaction with the web is often simplistic and user interface driven. As humans we are visual creatures by nature and navigate websites and web applications through visual cues (like navigation bars). When building modern applications today, many businesses place a heavier emphasis on the user experience to ensure that humans have the best digital experience possible. This also means that we get really frustrated when links, videos, or other web elements don’t work the way we expect them to.
The problem with humans though is our inability to process large amounts of information. On a given webpage there are sometimes hundreds of elements that make up the entire page. This might also include hidden links or data that we just don’t see when using our browser. How, then, can we leverage computers or bots to aid us in building a better digital experience?
Bot Users
Unlike humans, bots are really good at processing data…and lots of it. But what good is processing all of that data if you can’t understand what it actually means? Let’s look at Google Bot as an example (one of the most sophisticated by any standard). Google Bot can crawl all different types of web pages, understand (some) JavaScript used by modern applications, and even process non-visual data like LD-JSON and meta elements in the head of a given web page.
All of these pieces of code provide the context that Google needs to determine what your web page is about and how they should rank it. What is missing from the process however, is the ability to understand risk. There are bots for search, performance, and observability covering a wide range of use cases. What about security though? Many vulnerability scanners can provide a cursory view of websites and web applications, but often fall short on the client-side aspect of security.
Synthetic Users for Security on the Client Side
Now that we’ve talked about humans and bots, let’s come back to the question at hand; synthetic users and more specifically how Feroot uses them. I could give you everyone’s favorite buzzword answer and tell you it’s “our machine learning and AI combined to create a synthetic user to scan web apps”…but that doesn’t really tell you anything. Instead let’s take a look at how this all comes together.
Training Data
Machine learning models depend on data—plain and simple. If we want to understand the complexity of the client-side in modern web applications, we need a solid set of data to make that happen. Using a combination of elements from the “human perspective” and the “bot perspective” we can blend the data together in a way that allows us to build custom scenarios that simulate how a user might interact with a given web application.
As an example, instead of just scanning a login page for a web application, we can simulate a user visiting the login page, logging in, and then being redirected to (presumably) an account page. Feroot allows you to create projects based on custom scenarios to ensure alignment with real-world digital experiences (and not just individual web pages). The more our synthetic user interacts with customer websites and web applications, the better the data.
Behavior Based Options
In addition to creating synthetic users based on training data, Feroot also has the ability to shape a synthetic user’s behavior. This is really important when interacting with modern web applications given the heavy use of JavaScript and client-side frameworks. For example, HTML links act differently than JavaScript based links. Additionally, not every user is going to be located in the same geographical location. Being able to specify where in the world you’d like a session to originate from helps localize the digital experience even further.
Enhancing Client-Side Security with Synthetic Users
We’ve been talking about synthetic users mostly in the context of being able to emulate a digital experience, but what about the application of this to the security domain? As mentioned earlier, the client-side of web applications has rapidly evolved to include a heavy reliance on third-party code and technologies. In some cases, organizations might not even realize all of the third-parties being used within their applications or what they have access to.
A key differentiating factor when it comes to client-side security is the ability to understand the entire threat model posed by a given web page. Using a synthetic user, not only can we see what threats are present on the page (similar to a vulnerability scanner) but we can take security one step further and provide insights into data access and data transfer initiated by all JavaScript present on a given page. This has huge implications when it comes to protecting customer data (through forms fields) and adhering to privacy requirements for regulations like GDPR.
As client-side security comes more into focus as part of an organization’s security program, enterprises will need to be able to see their full attack surface across both the client-side and their existing back-end (code and infrastructure). Digital transformation has pushed most companies to adopt the cloud over the last several years. Now companies are returning to their migrated applications and modernizing their architecture. Security teams need the visibility and controls to protect their client-side, just like they have done for their cloud infrastructure.
