Why client-side threat landscape matters to you as a trusted security advisor and your clients?

October 21, 2020

Why position client-side threat landscape to clients?

As a trusted security advisor, you are constantly looking at new threat areas, new threat landscapes, and new risks, because you're not only concerned about your customers’ brand safety but you're concerned about your brand safety as a trusted security advisor.

The client-side of web applications became complex and constantly changing surface area with multiple components controlled by outsiders.

Why is the client-side of websites a lucrative attack surface?

The client-side or the front end of web applications, aka ‘digital user experience’, actively ingests customer/user information at data input points that can include some very sensitive information. As the web front-end code runs on unmonitored and untrusted devices, many application security flaws are being leveraged by malware and malicious actors to capture credentials, financial transactions, payment card data, and permit legitimate third-party vendor tools to facilitate unauthorized access to sensitive data. These attacks are called client-side web skimming attacks.

Magecart related client-side attacks were confirmed to have successfully breached tens of thousands of organizations including Macy’s, Ticketmaster, American Cancer Society, P&G's First Aid- Beauty, British

Airways, Newegg, and many other organizations have reported successful digital skimming attacks. However, the vast majority of web skimming victims are inflicted upon small to medium-sized organizations with 50 to 1000 employees. Costs of web skimming breaches range from tens of thousands to hundreds of millions of dollars along with a high probability of putting some victims out of business.

How to position client-side threat landscape to clients?

Step 1. In the first step, you will position the new threat landscape, your role and the why the new threat landscape matters

As a trusted security advisor, we are constantly looking at new threat areas, new threat landscapes, and new risks, because we're concerned about our clients’ brand safety. As your trusted advisor it’s our responsibility to tell you about these new emerging client-side risks, which include Magecart web skimming, PII/ePHI exhilaration, and unsanctioned canvas fingerprinting.

More than 19,000 organizations, including high-profile international organizations, were web breached on the client-side, in 2019. Any organization in financial services, banking, e-commerce, healthcare, government, technology, and SaaS industry that offers services on its website that does not have effective client-side security controls in place is potentially vulnerable.

Why position client-side threat landscape to clients?

Step 2. In the step above, you have positioned the client-side threat landscape, your advisory approach, and the growing magnitude of the threat, you will position the new service in the next step:

We have added a client-side security solution to our portfolio that we've started to rollout. You'd be amazed at what it uncovers, especially on the client-side of websites.

As your trusted advisor, we would recommend that you include this in managing your threat landscape and this is why: these client-side web skimming attacks infect websites with malicious code, known as skimmers or JavaScript sniffers, and are invisible to traditional security testing.

How to position client-side package landscape to clients?

Step 3. In the third step you will provide a quick overview of what your service does

The client-side security service specializes in the protection of web applications and enterprise websites against client-side threats helping organizations deal with web skimming attacks, data harvesting attacks, attempts to execute malicious code at the browser level, privileged access issues by legitimate and unsanctioned code and much more. It implements in hours, not months, and it doesn’t need a rocket scientist to operate it.

About author

Ivan Tsarynny is CEO and co-founder of Feroot Security, Member GDPR Advisory Committee at Standard Council of Canada, and is based in Toronto, Canada.

Discover and Analyze Assets

Discover and Analyze Assets

Discover and Analyze Assets

Discover and Analyze Assets

  • Identify all data assets across the client-side risk surface area of your web
  • Gain in-depth real-time visibility into risks within your dynamic client-side code
  • Autonomously enforce security and GRC controls across your client-side risk surface area
  • Increase productivity and accuracy of your web security testing