How to Operationalize the Client-side Security

July 25, 2020

Inventory Management

The discovery and ‘baselining’ of IT systems and processes is a critical attribute of any cybersecurity program. The web browser client-side is unique, but still worthy of such consideration. Most organizations struggle with finding a single source of truth for client-side code security recommendations. A NIST, CSF or CIS focused hardware-software inventory is the first priority. Discover it, manage it, secure it. It all starts, however with ‘discovering it’.

Discovery

What makes client-side security unique is how to go about creating an inventory of web front-end architecture elements. What do you need to know about your front-end?

  • What data is going through the web front-end assets?
  • What sensitive data do they collect?
  • What sensitive data could get unnecessarily exposed in the process?
  • What application elements are touching your data (i.e. - scripts and libraries)?
  • What 3rd party elements have access to the data that is going through the front-end?

A critical part of client-side inventory discovery and management is to determine what scripts have access to sensitive data that are not being used, often referred to as ‘zombie scripts’. When a script becomes a ‘zombie’, it should be immediately quarantined since it will be the easiest backdoor for a potential attacker to exploit. Why are static code analysis, dynamic code scanning, and the manual review of front-end code affecting critical data assets so challenging?

  • No two scripts are the same.
  • It is difficult to find all zombie scripts.
  • Total visibility into scripts being used and scripts that are not is difficult to achieve.
  • Visibility into security control and configuration variants is often difficult to establish.
  • It is difficult to block all access to sensitive data on the client side.

Change tracking

Web application browser front end scripts are continuously changing. Security teams often lose the client-side battle because of code variability and dynamics. Since the front-end code changes for every user session, how can someone review all of those changes and try to determine what’s exposed? Is it due to business logic, application vulnerabilities, or a cyber incident? We see the same problems over and over in every customer related environment that we review. Humans can't analyze millions of script changes at machine speed. Machines can track and spot anomalous behaviors in a way no humans can. Machine-to-human ‘teaming’ is necessary.

A Place For Automation, Orchestration, and Communication

It is possible for machines (cyber technologies) to analyze the web browser front-end to first detect anomalous behavior, and then provide crystallized insights and contextual details to the security analyst. It can also help one to take defensive action in mitigating the relentless cyber-attacks on web applications and browsers. In this approach the machine's role is to build the picture for the security staff providing the much-needed visibility as to what's happening, and to help recommend suitable corrective actions.

In summary, client-side security is a unique potential cyber-attack surface that is often overlooked or missed by traditional application vulnerability and penetration testing methods. If you succeed in optimally protecting the client-side of your web, you will not just have created a more robust end user experience. You will also have enhanced your organization's overall business competitiveness, agility, and ability to continue differentiate with innovation. Finally, and possibly most importantly, you will also better succeed in protecting your organization’s most critical and valuable assets; sensitive customer data.

We hope this technical resource regarding client-side web risk surface area has convinced you that it is important to find, monitor, and lock all backdoors within the application web browser front- end, ensure that your customer’s critical data assets don’t become any attacker's newly harvested low-hanging fruit.

About authors

Ivan Tsarynny is CEO and co-founder of Feroot Security, Member GDPR Advisory Committee at Standard Council of Canada, and is based in Toronto, Canada.
David Mundhenk, CISSP, CISA, PCI QSA, PCIP, is a Principal Security Consultant for the Herjavec Group, and a founding member of the PCI Dream Team.