Tackling JavaScript Client-Side And Supply Chain Threats With Zero Trust Security

In today’s digital world, we rely on the internet for almost everything we do. But unfortunately, while the World Wide Web presents us with tantalizing opportunities to connect with people from all over the globe, it also presents cybercriminals with a whole new attack surface to exploit.

Web applications are apps that are delivered over the internet via a browser interface. They include word processors, spreadsheets, file editing tools, email clients and—importantly—websites with online forms and shopping carts, where users enter highly sensitive, personal information.

And the sensitivity of that information makes it a lucrative target for cybercriminals. Because of this, web applications are involved in 43% of all breaches, and 32% of all malware is distributed via the web. If an attacker manages to infiltrate a web application, they can steal data not only from the user whose sessions they’ve tapped into, but also from the company itself and its partners.

To find out more about how organizations can protect themselves and their customers against web-based and client side security threats, we spoke to Ivan Tsarynny, co-founder and CEO at Feroot Security. Tsarynny’s security journey began in the 90s, when he worked as a physical security guard, before his love of computers and information technology drew him to the world of virtual security. Now, instead of patrolling a plant or office to find security issues, Tsarynny searches for vulnerabilities in web applications and user journeys.  

Feroot was founded in 2017 in the privacy space. But, as the introduction of GDPR began binding privacy and security together, increasingly more of their customers began asking questions about how to secure the tools and scripts integrated with their SaaS platform—particularly those which interact with client user journeys. Now, Feroot enables organizations to monitor their web applications for potential third-party threats caused by integrations with third-party code, as well as monitor for anomalous behaviors within the user journey itself, and within any tools being used to understand and improve those user journeys, such as Mixpanel and Amplitude.

Web-Based Attacks Target Customers And Suppliers, Too

Many modern businesses interact with their customers online, delivering value and services through web applications. And the experience a user has when interacting with that website or application can have a huge impact on whether that user will return to use those services again. Think of it this way: if you went to do your shopping online, but had to log in separately for each item you wanted to add to your basket, you’d probably decide to use a different store, right?

A user-friendly interface and intuitive user journey can be valuable for your company. But some of the interactions users have with your business’ site can be valuable for attackers, too—especially if they involve payment information.

A lot of cloud-native organizations have some sort of security infrastructure in place, with backend measures such as firewalls implemented to protect their databases and perimeter. But they often don’t consider the threat posed from the client’s end of their interactions.

“We’re specifically seeing that attackers have designed malware to steal information from a user’s browser, or information that they’re typing into a form, like their login ID, credit card information, home address and so on,” says Tsarynny. “These attacks are broadly known as Magecart, but the more technical term is e-skimming or web skimming.”

Magecart is a syndicate of cybercriminal groups that specialize in skimming online payment forms for information such as credit card data. They do this by inserting a piece of JavaScript code—also called skimming malware     —into the form, which is usually supplied by a third-party or “supply chain” vendor. These third parties often integrate with thousands of websites to offer extended functionality (like payment gateways) so, if a supplier is compromised, Magecart is able to breach all integrated websites at once.

Often, victims are completely unaware that their website’s code has been changed, or that the third-party code they’ve integrated has been compromised. This allows the malicious code to run indefinitely, stealing customer information until it’s eventually detected.

“Then, there’s also session hijacking, session recording and session collision. There could also be malware embedded into browser extensions, or screen recording technology, where the script records the screen and sends it off to somebody else who could misuse that information.”

A Global Audience Is Harder To Monitor

Businesses are becoming increasingly aware of the security risks they face on a day-to-day basis, and one catalyst for that awareness is new compliance regulations mandating that organizations protect personal or sensitive data against loss, damage and theft. One of the best ways to achieve compliance is by implementing strong security processes at every level of your business’ infrastructure. And those that fail to comply can, in some cases, face devastating consequences, both in terms of reputational and financial loss.

“At the risk of sounding like I’m chasing an ambulance or creating fear, you could suffer big penalties for non-compliance,” says Tsarynny. “But there are also litigation costs and mitigation costs, and the cost of mandatory forensic investigations that have to be done.”

But, as digital transformation enables us to become a more digital-native world,  compliance and security have become yet more complex. Today, many organizations are struggling to secure their websites due to how widespread their audience is, Tsarynny says.

“One of the unique challenges that we’re hearing about is from security or compliance teams who deliver services online and have customers across the globe. And their user experience is open and personalized for each geolocation, whether that be that it’s localized or that they’re using different tracking tools.

“And they’re asking themselves, ‘What happens when users from France visit our site and use our web application? Or customers from California, or Canada, or the UK?’

“They need to know how users are interacting with the application, who’s taking their data, which borders that data is crossing, and who’s responsible for that data.”

This variability means that website profiling tools are forced to load different tags and scripts for each user that visits the site, in order to optimize their experience.

“Different offerings are loaded into the user sessions based on profiling,” Tsarynny says. These scripts could load the site in different languages, for example, or slightly different versions for desktop- or mobile-optimized viewing. And this means that the security team has an endless number of variables within their code to analyze when monitoring the client side JavaScript code for vulnerabilities or anomalous behavior in their code.

Feroot’s Solution: Proactive And Reactive Threat Detection

To help organizations combat these challenges and mitigate the threat of client side JavaScript supply chain attacks, Feroot’s platform offers a number of different security processes. The first of these is mapping the attack surface for each user journey.

“When you think about physical security, you walk around your site perimeter to make sure the doors you’re aware of are operating as they’re expected to. They’re closed, locked and secure, or they’re open and you’re keeping an eye on them. We do the same for the digital attack surface,” Tsarynny explains.

One of the challenges associated with user journey mapping is that they’re constantly changing, Tsarynny adds. Marketing teams add new tools, development teams add new pages, and so on. So inventorying assets to discover what changes have been made from one day to another is the first challenge. Then, once that inventory has been made, the business can check whether each asset is functioning as it should.

“We can show you what you have, where the gaps are, where the open back doors are and what’s going in and out of them,” Tsarynny says. “And then we can remediate that.”

But, on their own, reactive threat detection and remediation still leave open the possibility for an attack to run on your website in between scans. To combat this, Feroot also offers proactive threat prevention.

“There aren’t any security permissions built into the front end of a JavaScript environment. So, we help companies set permissions for scripts, almost like how you might set permissions for an app on your smartphone. You might allow an app to access your contacts and microphone, but you might not want it to access your location, for example. “We set permissions for scripts so they can or cannot read data in line with what the developers or security teams think they should be doing. We help them treat scripts and libraries like treating apps on your phone.”

How Zero Trust Applies To Web Application Security

Setting security permissions in this way is the best method of preventing attacks caused by unknown unknowns, Tsarynny says, because it enables security teams to apply zero trust principles to their web application layer. 

“Zero trust” refers to a security framework built on the principle that you shouldn’t automatically allow anyone—or anything—access to your data. During the last 18 months, as the global shift to remote working has led to identity being perceived as the new network perimeter, many organizations have taken a “zero trust approach” to their identity and access security, implementing solutions such as multi-factor authentication, single sign-on and password managers. But the identity space isn’t the only layer at which organizations can—and should—implement zero trust practices.

“In the front end, or the user journey’s code, the script is always changing,” Tsarynny says. “Even inside the same sessions, new scripts will be loaded through side loading and chain loading sequences.

“Let’s say you use an identity management system, and set permissions so that only scripts loaded by that identity management system are permitted to reuse your passwords. By default, everything else will be blocked from reading passwords, including Chrome extensions and anything else that’s loaded into the user session.

“Nothing is trusted by default; only one or two scripts that you set permissions for, based on their expected functionality. If a script needs to know what data is entered into a certain field, you can trust it. If it doesn’t, then it shouldn’t be trusted.”

The Road To Security Starts With Discovery

When it comes to combating client side and supply chain threats to your website or web applications, the first step to take is to discover what you’ve got, Tsarynny says.

“It always starts with discovery. Find the known unknowns and the unknown unknowns.

“In a web application, particularly when considering user journey security, that means finding out what data you’re collecting, what data you’re presenting to the users, what data might be desirable to attackers, what information is loaded, and who—or what—has access to that information, and could steal it.” After carrying out that inventorying process, it becomes much easier to keep track of what’s going on within your user journey, and to monitor the behaviors of each asset that interacts with it.

Thank you to Ivan Tsarynny for taking part in this interview. You can find out more about Feroot and their web security monitoring platform at their website and via their LinkedIn profile.