I’ve been fortunate to work for some of the most disruptive, category creating, cyber security startups over the course of the past nearly 15 years. I’m proud to say that joining Source Defense provides that same opportunity for addressing emerging risks and changing security for the better. As was the case with these other firms, Source Defense was founded by a small group of forward-thinking entrepreneurs who recognized dark clouds forming over the horizon and set out to do something about the impending storm.
Our founders were informed by their own experiences in dealing with high stakes security and data breaches for some of the largest organizations in the world. These incidents – which caused material financial losses in the form of response costs, fines and judgements – were driven through the mission critical web properties that fueled growth not only for their organizations, but that do so for virtually every enterprise in the world.
(Side note: many of the worlds’ largest website owners aren’t even aware of how pronounced their own risk is – but we can change that by producing a site risk report for you in a couple of days)
A Quick Primer on the Problem:
The problem is that logic is loaded and runs on the client-side (in the browser), beyond the protection of server-side security. Third-party Scripts have the identical level of control as the website owner’s own internal script. Every Script on the page, no matter its origin, has access and authorship capability, meaning they can change the webpage, access all information on it (including forms) and can even record keystrokes and save them.
(Another side note: you can watch a quick video related to how these attacks work at the end of this blog.)
Gartner on Web App Client-Side Protection
A few months ago, Gartner – the worlds’ foremost industry analyst firm – published a Hype Cycle report focused on the Application Security market. In the report, Gartner specifically analyzed what it now calls Web App Client-Side Protection. Their assessment is that the market for this new security focus is at the height of the hype cycle and that within the next 2 years or so, mass market adoption will be a reality.
Based on the volume of conversations we are having with leading brands in Retail, Financial Services, Healthcare, Hospitality, Ticketing and other sectors, we definitely agree – but don’t think that you can afford to wait even that long to tackle the problem given the sheer pace of client-side attacks
In 2020, there were 425 “Magecart” (read: client-side attacks) incidents per month. Targets of these attacks included household names such as Macy’s, Ticketmaster, the American Cancer Society, P&G’s First Aid Beauty, British Airways and many others.
The barrier of entry for the scum that carry out these attacks is incredibly low – with Magecart exploit kits now selling on the Dark Web for around mere hundreds of dollars – and the knowledge of just how easily they can perpetrate these attacks is spreading.
Some of Gartner’s Thoughts – Some of Our Own
In its report, Gartner speaks to a few potential obstacles for adoption – all of which we’ve encountered in our conversations with clients and have helped them navigate around.
First, they point to the fact that the client-side security conversation is technically complex and that many organizations will need time to reach the conclusion that protection for client-side apps is needed.
Our thoughts: While we agree that this isn’t a topic that is currently at the top of the list for every security team (and it should certainly be), it is one that is rapidly gaining attention given the pace of and impact of attacks. We have a ton of happy clients you can speak with that can help you understand how and why they drove this as a priority – or you can take a read on any of our case studies – just drop us a line to get that conversation started!
Additionally, the great news is that the way Source Defense has architected its solution makes it likely one of the easiest to evaluate, own and operate that you’ve ever seen.
The next thing Gartner points to is something we’ve seen multiple times and can help you work through – namely that there are likely three different groups that would need to be involved in the decision process. Development, Security and Digital are the teams we encounter most often, and these are the same teams that Gartner highlights.
Our thoughts: We find that this ultimately comes down to a joint decision between Security and Digital. Security has the ultimate goal of thwarting these attacks and Digital has a desire to be able to securely add in new partners without impacting either Security or Compliance postures. We can help you navigate your internal conversations and get everyone on the same page with a green light decision to deploy. That green light comes rather easy once the Digital team realizes that Security is enabling their business and that there are actually performance enhancements that come from deploying Source Defense – in the form of faster page loads. Can you imagine that? Telling a business stakeholder your security solution has added benefits? As another added bonus – we’ve seen many clients fast track their purchases when budget isn’t available from the Security team by working to use budget from the Digital team.
As with any enterprise security solution – there are stakeholders to consult. That said, we’ve helped navigate these internal conversations time and again and can help get over any roadblocks as a result.
While it’s certainly better to know about a threat than not, these tools don’t prevent attacks from happening. They simply detect. The onus is then on your teams to investigate every alert, determine whether it represents a true threat, and remove the malicious code. This could result in massive overhead in responding to alerts, many of which will be false positives coming from abuse of power by your third parties. We’ve seen millions of examples of non-malicious incidents which would trigger solutions that detect and alert – meaning you’ll either be drowning your existing teams even further or needing to add dedicated resources at a time when finding people is a major challenge. It is a step forward from where you are today – and there are times when detection only might be a good first step, but prevention by default is the ultimate solution to the problem. You may be able to stem the bleeding, but you’ve not prevented the attack from occurring – so despite noble intent and your investment, the risk to your organization isn’t fully mitigated.
Source Defense – the Web App Client-Side Protection Solution You Need!
We’re pretty cool tech that you should take a look at – and you should take a look at it now. Your peers are already making the investment, Gartner is signaling that this is something you need to have on your list, and we’re ready to help you today.
Drop us a line or request a demo to see Source Defense for yourself!
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.