Why Web Application Visibility Matters for JavaScript Security

Web application visibility is about the view and control that application security professionals have over the software running on the front-end or client-side. As I sat down to write about the importance of web application visibility to JavaScript security, I remembered a folksong about coding that was popular in the 1980s. (Yes, you read that right. A popular folk song about coding. Fans of Stan Rogers or listeners of the cult syndicated radio show known as Dr. Demento might remember it.)

The song sympathizes with all the programmers of the 80s, engaged in the eternal monotony of the frantic race of coding and programming – the “metro bolout dodo” (commute, work, sleep) – as the French so eloquently put it. This song struck me as illustrating how the approach to coding has changed over the past 40 years.

The song goes like this:

And that’s Ho, boys, can’t you code and program it right

Nothing ever happens in the life of mine

I’m uploading the data to the Xerox line.

Then it’s code in the data, punch the keyboard

Then cross-correlate and break for lunch

Correlate, tabulate, process and filter

Program, printing, regression to the mean;

And that’s Ho, boys, can’t you code and program it right

Nothing ever happens in the life of mine

I upload the data on the Xerox line

Why Web Application Visibility Matters for JavaScript Security
Why web application visibility is so important for JavaScript security

How the coding process changed the visibility of web applications

For many, this song sums up the life of a coder in the 1980s, under pressure to constantly create original code. But the coding is different today. Organizations put pressure on understaffed JavaScript coders to regularly produce innovative enhancements to web applications. And while front-end developers are still working as hard as they were 40 years ago, the work itself is different. Developers don’t have to write as much code from scratch as before. Instead, they assemble apps using pre-written code and JavaScript libraries. Today, application code is a complex web of “yours, mine, and ours”: original code, reused code, inserted code, code from internal libraries, and code from third-party sources. This creates a visibility problem, especially for application security (AppSec) professionals who want to know if the web application is secure or not.

Why do AppSec professionals care about web application visibility?

For hackers and threat actors, obfuscated code is one of their proven methods to ensure that their criminal actions achieve the desired results. In the case of web applications, hackers regularly obfuscate malicious scripts using techniques such as string obfuscation and Base62 encoding to hide criminal intent and circumvent signature string detections. Malicious scripts deployed in JavaScript libraries are also well hidden and difficult to detect using traditional AppSec methods, such as code reviews. So, for AppSec professionals, visibility is a necessary and incredibly important part of the security process.

The end results of hidden malicious code are skimming attacks, such as Magecart, formjacking, and cross-site scripting (XSS).

The 10 Components of Web Application Visibility

There are 10 key components for web application visibility with respect to any application, library, system, forms, and code assets:

  1. Identify assets, such as applications, forms, systems, and data.
  2. Identify all technologies used, including third-party and fourth-party code sources.
  3. Know the purpose, intent and operational elements of the asset.
  4. Know the purpose, intent and operational elements of the technology.
  5. Identify who has access to these assets.
  6. Identify current security processes and controls over these assets.
  7. Assess the effectiveness of asset security processes.
  8. Identify any likely threats or vulnerabilities to these assets.
  9. Identify compliance and regulatory implications (eg, PCI, GDPR, or HIPAA) related to these assets.
  10. Codify a mitigation and remediation strategy for potential asset attacks/breaches.

Once you have identified your resources, many techniques and tools are available to improve the visibility of web applications. Many have both advantages and limitations, and we’ll discuss a few here.

Client-side attack surface monitoring

Client-side attack surface monitoring solutions are a relatively new cybersecurity technology that automatically identifies all web application assets and reports their data access. These solutions use headless browsers and synthetic users to navigate through all the JavaScript contained on the website and web application pages. The technology collects real-time information about how the analyzed website is performing from the end user’s perspective. Client-side attack surface monitoring tools have minimal limitations because they avoid many of the problems associated with other web application visibility solutions. In fact, client-side attack surface monitoring solutions can provide much better visibility than any of the other solutions discussed below.

If your business interacts with its customers through web applications or web pages, then yes, client-side attack surface monitoring solutions will allow your business to stay ahead of client-side cyber threats. Client-side attack surface monitoring solutions condense manual processes that typically take security analysts and web application developers days to just minutes. With automated alerts and detailed issue enumeration, these technologies can enable security teams to automate client-side security tasks beyond any scope available with other client-side security approaches.

Penetration tests

A penetration test or pentest is a deliberate and authorized security attack to identify and uncover weaknesses and vulnerabilities. Pentesting can help AppSec professionals identify security policies in web applications and find unknown bugs. However, pentesting is a highly skilled field that requires a lot of time and work. Pentesting may require an external security service provider to perform the tests. Pentests also only reflect the situation at a given time. Since web applications are constantly evolving with new features and enhancements, and include third-party libraries that are changed and updated on a regular basis, pentesting can only provide limited benefits when it comes to web application visibility.

Client-side vulnerability scanning

Vulnerability scanners assess computers, software, applications, servers, and networks to discover known weaknesses and misconfigurations that could be used by hackers for malicious purposes. Vulnerability scanners primarily work by scanning back-end code and systems, typically digital assets that reside on the server side. They are unable to detect and enumerate all web application vulnerabilities (most commonly JavaScript bugs). Vulnerability scanners can also only see a single domain, not all of the links within it.

Content Security Policies

Content Security Policies (CSPs) are types of policies applied on the client side to help identify and prevent the addition of malicious scripts to web applications. CSPs can block dangerous scripts before an attack, such as XSS, JavaScript Injection or e-skimming occurs. When designed specifically with JavaScript authorization components, CSPs are an important tool. However, when used as the sole security control, CSPs can expose organizations to e-skimming violations due to incorrect configurations, circumvention techniques, and incorrect implementations.

Web Application Firewall (WAF)

WAFs protect web applications by filtering and monitoring HTTP traffic between the application and the Internet. Web application firewalls are great tools for increasing the visibility of web applications. But because it is an “Open Systems Interconnect (OSI) Layer 7 defense mechanism” that protects against application layer attacks, they are not designed to protect the user interface at the browser level itself. And they don’t protect against advanced skimming attacks, such as car skimming, sideloading, and chainloading.

Which web application visibility solution is right for me?

As most security professionals know, there is no 100% solution to protecting and defending against attacks and data breaches. The “right solution” is the one that best fits the needs and objectives of the organization. The “right solution” should also make the AppSec professional’s job easier, not harder.

Learn more

If you want to learn more about the importance of web application visibility, check out these additional resources:

Blog: Client-Side Security Risk Management: The Root-Cause Solution Approach

E-book: The Ultimate Guide to JavaScript Security

Demo: Automated Client-Side Attack Surface Management

The post Why Web Application Visibility Matters for JavaScript Security appeared first on Feroot.

*** This is a Feroot Security Bloggers Network syndicated blog written by the Feroot Security Team. Read the original post at: https://www.feroot.com/blog/why-web-application-visibility-is-important-to-javascript-security/

Comments are closed.