Today, businesses live or die by their digital presence. Crafting the best digital experience means putting the end user first, which requires a delicate balance of technology and innovation. To achieve this balance, businesses make use of third-party code, tools, and cloud services combined with their own technology to drive down time to market. As a result, most modern web applications are a culmination of first-party and third-party technologies delivered from the cloud. While this has led to some really amazing digital experiences for users, it also has opened the floodgates to new attack vectors on the client-side of web applications. Where security practitioners have traditionally had to focus heavily on back-end security controls and protections, there is now a whole new attack surface that they are responsible for. Many of the existing web application or vulnerability scanners struggle to address this gap because they were built at a time when the client-side or front-end attack surface was very small and the majority of web applications were delivered from back-end services. One way that Feroot is addressing this gap has been through the use of synthetic users to enhance security.
What Is a Synthetic User and How Does it Help Security?
Simply put, a synthetic user is a blend of human and bot behavior to create the most human-like experience possible when interacting with a website or web application. This means striking a balance between understanding what humans process (visually) and what bots process (logically).
Let’s look at some of the differences between humans and bots today.
Human interaction with the web is often simplistic and user interface driven. As humans we are visual creatures by nature and navigate websites and web applications through visual cues (like navigation bars). When building modern applications today, many businesses place a heavier emphasis on the user experience to ensure that humans have the best digital experience possible. This also means that we get really frustrated when links, videos, or other web elements don’t work the way we expect them to.
The problem with humans though is our inability to process large amounts of information. On a given webpage there are sometimes hundreds of elements that make up the entire page. This might also include hidden links or data that we just don’t see when using our browser. How, then, can we leverage computers or bots to aid us in building a better digital experience?
All of these pieces of code provide the context that Google needs to determine what your web page is about and how they should rank it. What is missing from the process however, is the ability to understand risk. There are bots for search, performance, and observability covering a wide range of use cases. What about security though? Many vulnerability scanners can provide a cursory view of websites and web applications, but often fall short on the client-side aspect of security.
Synthetic Users for Security on the Client Side
Now that we’ve talked about humans and bots, let’s come back to the question at hand; synthetic users and more specifically how Feroot uses them. I could give you everyone’s favorite buzzword answer and tell you it’s “our machine learning and AI combined to create a synthetic user to scan web apps”…but that doesn’t really tell you anything. Instead let’s take a look at how this all comes together.
Machine learning models depend on data—plain and simple. If we want to understand the complexity of the client-side in modern web applications, we need a solid set of data to make that happen. Using a combination of elements from the “human perspective” and the “bot perspective” we can blend the data together in a way that allows us to build custom scenarios that simulate how a user might interact with a given web application.
As an example, instead of just scanning a login page for a web application, we can simulate a user visiting the login page, logging in, and then being redirected to (presumably) an account page. Feroot allows you to create projects based on custom scenarios to ensure alignment with real-world digital experiences (and not just individual web pages). The more our synthetic user interacts with customer websites and web applications, the better the data.
Behavior Based Options
Enhancing Client-Side Security with Synthetic Users
We’ve been talking about synthetic users mostly in the context of being able to emulate a digital experience, but what about the application of this to the security domain? As mentioned earlier, the client-side of web applications has rapidly evolved to include a heavy reliance on third-party code and technologies. In some cases, organizations might not even realize all of the third-parties being used within their applications or what they have access to.
As client-side security comes more into focus as part of an organization’s security program, enterprises will need to be able to see their full attack surface across both the client-side and their existing back-end (code and infrastructure). Digital transformation has pushed most companies to adopt the cloud over the last several years. Now companies are returning to their migrated applications and modernizing their architecture. Security teams need the visibility and controls to protect their client-side, just like they have done for their cloud infrastructure.