Securing the Client Side to Proactively Manage Cyber Risk

Feroot Security Inspector Customer Success Story: Gusto Payroll and HR

The Challenge


Computer Software,
Payroll & HR Services



To Gusto, keeping customer data secure is paramount. From its well-defined corporate security strategy and dedicated public webpage, Gusto views itself as a data custodian that is entrusted with, rather than entitled to, customer data.

Ever since its inception, Gusto has continuously improved and enhanced its ability to detect and defend the business and its customers from cyber threats. Being a cloud-first organization with an ecosystem of web applications and web pages to protect, Frederick “Flee” Lee, Gusto’s Chief Security Officer, and his team expanded their security strategy beyond traditional server-side security practices to enhance client-side security practices.

“A day doesn’t go by that you don’t hear about a new JavaScript-based attack on a company’s website or web application. We’re seeing attackers pivoting from traditional server-side attacks to client-side attacks. To protect our business from server-side threats, we needed to enhance our client-side security capabilities to stay ahead of the threat.”
Frederick “Flee” Lee, Chief Security Officer 

With e-skimming, formjacking, JavaScript injection, and Magecart-like attacks on the rise, Flee and his team learned that they needed a new way to gain even fuller visibility of their cyber risk across their websites and web applications. They needed to have a technology that could provide them with a full inventory of all first- and third-party scripts, an even clearer understanding of vulnerabilities impacting the client-side, and immediate alerts to cross-border data transfer and potential data exfiltration.

About Gusto

Gusto’s mission is to create a world where work empowers a better life. By making the most complicated business tasks simple and personal, Gusto is reimagining payroll, benefits, and HR for modern companies. Gusto serves over 200,000 companies nationwide and has offices in San Francisco, New York City, Denver, and Canada.

The Goal

Flee empowered Karlotcha Hoa, Gusto Security Engineer, to determine how to enhance their visibility into all of the scripts that make up their front-end web applications. Karlotcha outlined what capabilities a client-side security technology needed to have, in order for them to be able to successfully protect their client-side JavaScript web applications.

They included the ability to:
  • Automatically generate end-to-end visibility of all front-end assets and the code used to build them, in order to manage JavaScript inventory and version control.
  • Prioritize client-side errors and vulnerabilities based on severity and exploitability.
  • Create a workflow based on meaningful and actionable security insights between application security and development teams to streamline front-end security operations.
  • Conduct geo-based scans to ensure digital customer journeys adhere to regional compliance and privacy regulations.

The Choice

Karlotcha evaluated Feroot Security Inspector and ran an in-depth proof of concept (POC). The goal of the POC was to use Inspector to operationalize their client-side security capabilities, determine if the technology could uncover known unknown threats, and become the ‘glue’ that united the security and the front-end product development team for successful collaboration.

The Goal for Feroot Security Inspector
  • Identify and manage their web asset and JavaScript code inventory to reveal their client-side attack surface.
  • Ensure that their web applications are assembled in the user browser as expected.
  • Gain visibility by continuously testing and reporting on client-side web assets, to detect and remove threats and vulnerabilities (such as JavaScript injection attacks).
  • Align the application security and front-end product development teams.

The Outcomes

After a thorough evaluation of Inspector’s features and functionality, Karlotcha and Flee chose Feroot Inspector for Gusto to secure their client-side web applications. Inspector was quickly provisioned to gain end-to-end visibility of the makeup of their web applications, detect JavaScript vulnerabilities and threats, automate client-side security tasks, and integrate Feroot with existing security technologies and processes. Inspector enabled Gusto to:

  • Gain a greater overview of their client-side attack surface, by building an inventory of all first- and third-party scripts used to build their web applications.
  • Reduce cyber risk by enhancing front-end threat detection and mitigation capabilities.
  • Uncover unauthorized trackers on web applications and remove them to ensure customer security.
  • Enact client-side security testing processes to maintain continuous web application security.
  • Integrate client-side security workflows to operationalize client-side security, thereby reducing application security to front-end development issue resolution latency.
  • Complement data privacy and data security projects with client-side data transfer alerting and protection.

The Feedback

Learn about how you can protect your client-side with Feroot Security Inspector & PageGuard

Request a demo today and we’ll show you how to implement client-side security practices.

More success stories made possible by Feroot client-side security