The Missing Link in Website Security

November 20th, 2019

iStock-491277738

The rapid acceleration of attacks on websites targeting the front-end or client-side necessitates an urgent reconsideration of website and web application security strategy

The three most important elements of any website or web application are the server (back-end), the network, and the client (front-end). Historically, web application security practitioners have exclusively focused on protecting the ‘back-end’ by deploying a Web Application Firewall (WAF). Most website owners have also implemented HTTPS (hyper-text transfer protocol secure) to protect the communication between the server and the client-side. HTTPS protects against a ‘man in the middle’ attacker sitting in the network. In fact, HTTPS adoption has gone from 7% in 2015 to nearly 60% today.  

Regulatory mandates and prescriptive frameworks such as PCI-DSS (Payment Card Industry - Data Security Standard) have driven significant adoption of WAF and HTTPS. While these strategies were sound in the past, they are no longer adequate to protect web applications against new and advanced attacks that focus on attacking the client-side (front-end). 

Historically, security organizations either did not consider the importance of protecting the client-side (front-end) or did not have a significant business need. This is no longer the case. Modern web architecture relies on enabling ‘third-parties’ to access the client-side (front-end) of a web application. These third-parties operate via largely unmanaged and unmonitored connections to provide richness (chat tools, images) or extract analytics (Google Analytics). Up to 70% of the code executing on websites today comes from such third-parties. Additionally, organizations have great reason to care about leakage from vulnerable client-side connections since the business and financial implications of losing customer data has never been greater. Consider that in 2013, Target lost approximately 41 million credit cards and was fined $18.5 million. In 2018 British Airways lost nearly 0.5 million credit cards (due to a front-end website attack) and was fined roughly $240 million (GDPR).   

As evidenced by the accelerating pace of successful attacks something remains unaddressed as nearly 7000 websites are compromised each month via Magecart, formjacking and cross-site scripting (XSS). All of these attacks focus on attacking the client-side of a web application. 

Re-thinking Website Security

As defined above, there are three security considerations for safeguarding your customer’s end-to-end website experience. To follow the nomenclature defined in the widely considered PCI-DSS framework consider these as: 

  • Data at rest
  • Data in motion 
  • Data origination.  

Today, security frameworks and most security practitioners consider only two of these three when evaluating security capability. 

Data at Rest defines content that typically resides on owned servers protected by massive security perimeters and on company-owned premises. This data includes PII, credit card numbers, financial information, and credentials. WAFs, Firewalls and the like are deployed to provide effective defense for data at rest. 

“Data in Motion” refers to data in transit. This is easily envisioned as this same sensitive data moving from a website form that captures PII, credit card information, credentials, etc. back to secure storage. Data in motion is often encrypted by HTTPS transactions. In fact, many security-savvy online consumers put a lot of faith in seeing the HTTPS designation as ensuring the end-to-end security of their online transactions.

Unfortunately, a security specification for securing the point of “Data Origination” is entirely missing. Data Origination is the point at which data is created as it is input into a website or web application. This data origination point is increasingly the browser as a site visitor or online shopper enters information into a form including user credentials, credit card numbers, healthcare data, financial data, etc. Such datasets are highly valuable to hackers. Consider the extreme lack of deployed client-side security measures that would ensure protections for this point of data origination and it’s easily understood why attacks like Magecart, Formjacking, and XSS are rapidly accelerating. 

Much thinking has gone into the development of a set of standards-based security measures specifically designed to safeguard the client-side.  These readily available and highly effective security measures include standards like CSP, SRI, Referrer-Policy, Trusted Types, HSTS and others.  When deployed together, they not only offer comprehensive prevention they do so with near-zero impact to performance. It’s past time for security practitioners to pay closer attention to the highly targeted point of data origination and begin diligent and immediate deployment of client-side security.