Web application visibility is all about the insight and control application security professionals have into the software operating on the front end or client side. Sitting down to write about why web application visibility is important to JavaScript security, I was reminded of a folk song about coding that was popular back in the 1980s. (Yes, you read that right. A popular folk song about coding. Fans of Stan Rogers or listeners of the cult-favorite, syndicated radio show known as Dr. Demento may remember it.)
The song commiserates with all of the 80s programmers, engaged in the everlasting monotony of the coding and programming rat race—the “métro bolout dodo” (commute, work, sleep)—as the French so eloquently put it. This song struck me as illustrating how the approach to coding has changed in the 40 years.
How the Coding Process Has Changed Web Application Visibility
For many, this song encapsulated the life of a 1980s coder, under pressure to create original code constantly. But coding is different today. Organizations put pressure on understaffed JavaScript coders to regularly churn out innovative web application enhancements. And while front-end developers are still working just as hard as they did 40 years ago, the job itself is different. Developers don’t have to write as much code from scratch as they did previously. Instead, they assemble applications through the use of pre-written code and JavaScript libraries. Today, application code is a complex web of “yours, mine, and ours”—original code, reused code, inserted code, code from internal libraries, and code from third-party sources. This creates a problem of visibility, particularly for the application security (AppSec) professionals that want to know if the web application is secure or not.
Why Do AppSec Professionals Care About Web Application Visibility?
For hackers and threat actors, obfuscated code is one of their tried and true methods to ensure their criminal actions achieve the intended results. In the case of web applications, hackers regularly obfuscate malicious scripts using techniques like string obfuscation and Base62 encoding to hide the criminal intent and bypass signature string detections. Malicious scripts deployed in JavaScript libraries are equally well hidden and hard to detect using traditional AppSec methods, such as code reviews. So for AppSec professionals, visibility is a necessary and incredibly important component of the security process.
The end results of hidden malicious code are skimming attacks, such as Magecart, formjacking, and cross-site scripting(XSS).
The 10 Components of Web App Visibility
There are 10 key components to web application visibility as it relates to any application, library, system, forms, and code assets:
- Identify assets, such as applications, forms, systems, and data.
- Identify all technologies in use, including third- and fourth-party code sources.
- Know the asset’s purpose, intent, and operational elements.
- Know the technology’s purpose, intent, and operational elements.
- Identify who has access to those assets.
- Identify current security processes and controls over those assets.
- Assess the effectiveness of the asset’s security processes.
- Identify any likely threats or vulnerabilities in those assets.
- Identify compliance and regulatory implications (e.g., PCI, GDPR, or HIPAA) related to those assets.
- Codify a mitigation and remediation strategy for potential asset attack/breach.
Techniques & Tools to Improve Web App Visibility
Once you’ve identified your assets, there are numerous techniques and tools available to enhance web application visibility. Many have both benefits and limitations, and we’ll discuss a few here.
Client-Side Attack Surface Monitoring
Client-side attack surface monitoring solutions are a relatively new cybersecurity technology that automatically identify all web application assets and reports on their data access. These solutions use headless browsers and synthetic users to navigate through all the JavaScript contained on the website and web application pages. The technology gathers real-time information about how the scanned website works from the end-user perspective. There are minimal limitations with client-side attack surface monitoring tools, since they avoid many of the problems associated with other web application visibility solutions. In fact, client-side attack surface monitoring solutions can provide visibility far better than all the other solutions described below.
If your business interacts with customers via web applications or webpages, then yes, client-side attack surface monitoring solutions will enable your business to stay ahead of client-side cyber threats. Client-side attack surface monitoring solutions condense manual processes that typically take security analysts and web application developers days into just a few minutes. With automated alerts and detailed issue enumeration, these technologies can enable security teams to automate client-side security tasks beyond any scope available with other client-side security approaches.
Penetration Testing
A penetration test or pentest is a deliberate and authorized security attack to identify and uncover weaknesses and vulnerabilities. Pentesting can help AppSec professionals identify security policies in web applications and check for unknown bugs. However, pentesting is a highly skilled field that is time and labor intensive. Pentesting may require an external security service provider to conduct the tests. Pentests also only reflect the situation at a single point in time. Since web applications are constantly evolving with new features and enhancements, and include third-party libraries that get changed and updated regularly, pentesting can provide only limited benefits when it comes to web application visibility.
Client-Side Vulnerability Scanning
Vulnerability scanners assess computers, software, applications, servers, and networks to uncover known weaknesses and misconfigurations that could be used by hackers for malicious purposes. Vulnerability scanners primarily operate by scanning back-end code and systems, typically those digital assets that live on the server side. They aren’t able to detect and enumerate all web application vulnerabilities (most often JavaScript bugs). Vulnerability scanners can also only see a single domain, not all of the links that are part of it.
Content Security Policies
Content Security Policies (CSP) are types of policies applied to the client side to help identify and prevent the addition of malicious scripts to web applications. CSPs can block dangerous scripts before an attack, like XSS, JavaScript Injection, or e-skimming can happen. When designed specifically with JavaScript permission-ing components, CSPs are an important tool. However, when used as a sole security control, CSPs may expose businesses to e-skimming breaches from misconfigurations, bypass techniques, and incorrect implementations.
Web Application Firewalls (WAF)
WAFs protect web applications by filtering and monitoring HTTP traffic between the application and the internet. Web application firewalls are great tools to increase web application visibility. But because they are an “open systems interconnection (OSI), layer 7 defense mechanism” that protect against application-layer attacks, they are not designed to protect the browser-level user interface itself. And they won’t protect against advanced skimming attacks, such as drive-by skimming, sideloading, and chainloading.
Which Web Application Visibility Solution Is Right for Me?
As most security professionals know, there is no 100% solution to protect and defend against attacks and data breaches. The ‘right solution’ is one that fits best with the organization’s needs and goals. The ‘right solution’ should also make the job of the AppSec professional easier, not more complicated.