July 25, 2020
The discovery and ‘baselining’ of IT systems and processes is a critical attribute of any cybersecurity program. The web browser client-side is unique, but still worthy of such consideration. Most organizations struggle with finding a single source of truth for client-side code security recommendations. A NIST, CSF or CIS focused hardware-software inventory is the first priority. Discover it, manage it, secure it. It all starts, however with ‘discovering it’.
What makes client-side security unique is how to go about creating an inventory of web front-end architecture elements. What do you need to know about your front-end?
A critical part of client-side inventory discovery and management is to determine what scripts have access to sensitive data that are not being used, often referred to as ‘zombie scripts’. When a script becomes a ‘zombie’, it should be immediately quarantined since it will be the easiest backdoor for a potential attacker to exploit. Why are static code analysis, dynamic code scanning, and the manual review of front-end code affecting critical data assets so challenging?
Web application browser front end scripts are continuously changing. Security teams often lose the client-side battle because of code variability and dynamics. Since the front-end code changes for every user session, how can someone review all of those changes and try to determine what’s exposed? Is it due to business logic, application vulnerabilities, or a cyber incident? We see the same problems over and over in every customer related environment that we review. Humans can't analyze millions of script changes at machine speed. Machines can track and spot anomalous behaviors in a way no humans can. Machine-to-human ‘teaming’ is necessary.
A Place For Automation, Orchestration, and Communication
It is possible for machines (cyber technologies) to analyze the web browser front-end to first detect anomalous behavior, and then provide crystallized insights and contextual details to the security analyst. It can also help one to take defensive action in mitigating the relentless cyber-attacks on web applications and browsers. In this approach the machine's role is to build the picture for the security staff providing the much-needed visibility as to what's happening, and to help recommend suitable corrective actions.
In summary, client-side security is a unique potential cyber-attack surface that is often overlooked or missed by traditional application vulnerability and penetration testing methods. If you succeed in optimally protecting the client-side of your web, you will not just have created a more robust end user experience. You will also have enhanced your organization's overall business competitiveness, agility, and ability to continue differentiate with innovation. Finally, and possibly most importantly, you will also better succeed in protecting your organization’s most critical and valuable assets; sensitive customer data.
We hope this technical resource regarding client-side web risk surface area has convinced you that it is important to find, monitor, and lock all backdoors within the application web browser front- end, ensure that your customer’s critical data assets don’t become any attacker's newly harvested low-hanging fruit.