DomainGuard | How It Works | Feroot

How DomainGuard Works

To date, security analysis and web application developers have had to manually manage Content Security Policies (CSP) on their web applications and websites. Manual CSP efforts can be extremely arduous, to the extent that many organizations just set their policies and forget about them, often ignoring or not knowing which violations to address. This leaves doors wide open for exploitation on the part of cyber adversaries. Feroot Security developed DomainGuard to ease the manual burden of Content Security Policy deployment, testing, and management, while making violation reporting and policy tuning a breeze.

The CSP Problem

It’s a common misconception that all it takes to successfully deploy CSP on your web application or website is to write a CSP and then configure your web server to return the CSP HTTP header. It’s easy to generate a generic CSP for your web application, since it is essentially a series of policy directives, each of which describe the policy for a certain resource type or policy area. But will that CSP actually work for your specific web application? Does it provide sufficient or too much coverage? What if the marketing team adds another widget to the website, will the policy still work? What if you conduct a CSP audit? Will you be able to tell why and where the policy failed?

The CSP challenge starts to get serious during testing and collecting violation reports, and while continuously optimizing policies to gain and sustain their security benefits.

Tailor-Made Policy Generation

DomainGuard crawls your web application and deploys synthetic users to develop an end-to-end perspective on the web applications, its scripts, the data it collects, and how it operates. Based on the specific data returned in the scan, DomainGuard generates a CSP that has been tailor made specifically to meet the security requirements for the scanned web application.

DomainGuard then emulates the CSP based on the scan data to ensure it brings the number of policy violations as close to zero as possible. This way the security analyst or web application developer is able to deploy the best possible CSP to their web applications in production immediately, without having to test it in development first. Businesses no longer have to push CSP to production to test its value or effectiveness, the policy generated has already been tested.

Violation Reporting and Policy Optimization

Businesses deploy Content Security Policies on their web applications and websites to uncover cross-site scripting, JavaScript code injection, and a variety of data skimming attacks. In order to gain these security benefits, the policies need to be monitored and improved continuously. Web applications are dynamic in nature. They evolve or get modified on an almost daily basis. For example, first- and third-party scripts get modified at the drop of a hat, and marketing professionals add new features, pixels, trackers, and other elements to web pages at will. To stay ahead of client-side threats, security teams need an initial CSP deployed on their web apps that they are confident in, then they need to be able to track violation reports overtime, make changes to the policy proactively, and continuously tune the policy to close potential doors that cyber adversaries can exploit.

The DomainGuard reporting dashboard shows what types of client-side attacks or violations the deployed CSP is preventing. DomainGuard shows what violations need to be investigated and how to tweak the CSP to fortify your web application defenses. Finally, DomainGuard keeps track of all violations so that security teams can collect valuable adversary data to enhance their client-side security posture.

Want to see DomainGuard in action?