I’ve been fortunate to work for some of the most disruptive, category creating, cyber security startups over the course of the past nearly 15 years. I’m proud to say that joining Source Defense provides that same opportunity for addressing emerging risks and changing security for the better. As was the case with these other firms, Source Defense was founded by a small group of forward-thinking entrepreneurs who recognized dark clouds forming over the horizon and set out to do something about the impending storm.

Our founders were informed by their own experiences in dealing with high stakes security and data breaches for some of the largest organizations in the world. These incidents – which caused material financial losses in the form of response costs, fines and judgements – were driven through the mission critical web properties that fueled growth not only for their organizations, but that do so for virtually every enterprise in the world.

In uncovering the root cause of these incidents, they recognized a ubiquitous and majorly overlooked security gap – namely the ability for hackers to exploit vulnerabilities in the first, 3rd and nth party JavaScripts running on the client-side (the browser). These scripts are universally employed and much of the threat surface comes from the JavaScripts utilized by the website supply chain vendors being used to enhance user experience, engagement and drive analytic insights. Many of the world’s largest sites – likely including yours – have dozens of these vendors plugged in.

(Side note: many of the worlds’ largest website owners aren’t even aware of how pronounced their own risk is – but we can change that by producing a site risk report for you in a couple of days)

A Quick Primer on the Problem:

The problem is that logic is loaded and runs on the client-side (in the browser), beyond the protection of server-side security. Third-party Scripts have the identical level of control as the website owner’s own internal script. Every Script on the page, no matter its origin, has access and authorship capability, meaning they can change the webpage, access all information on it (including forms) and can even record keystrokes and save them.

All it takes is for the third-party vendor to be hacked and have its code changed. That code is dynamically downloaded from a remote server, which means that it bypasses the traditional server-side security infrastructure, including the website owner’s firewalls and WAFs. Website owners had limited means to dynamically detect the change and previously had no means to prevent it from exfiltrating data or executing other malicious activity from the customer’s browser.  Until Source Defense came along with its unique approach to JavaScript sandboxing and helped create what Gartner has defined as a new category called the Web App Client-Side Protection market, that is.

(Another side note: you can watch a quick video related to how these attacks work at the end of this blog.)

The same types of violations that have cost companies like British Airways tens of millions in GDPR fines.”

As the leader in this space, Source Defense is now protecting nearly a half a billion monthly site visits and transactions for some of the largest companies in the world. We’ve not only removed the risk and thwarted attacks for these early adopters, but we’ve prevented nearly 1.5 billion JavaScript violations of security & compliance policies from occurring in the process. The same types of violations that have cost companies like British Airways tens of millions in GDPR fines. The net-net, we can help eradicate both the primary and secondary forms of loss associated with these attacks. Using a first-of-its-kind patented technology based on machine learning and industry best practices, Source Defense provides its customers with a fully automated and dynamic set of rules and policies that control access and permissions of first party Scripts and of all JavaScript-based 3rd party tools operating on their website with close-to-none operational efforts.

Gartner on Web App Client-Side Protection

A few months ago, Gartner – the worlds’ foremost industry analyst firm – published a Hype Cycle report focused on the Application Security market. In the report, Gartner specifically analyzed what it now calls Web App Client-Side Protection. Their assessment is that the market for this new security focus is at the height of the hype cycle and that within the next 2 years or so, mass market adoption will be a reality.

Based on the volume of conversations we are having with leading brands in Retail, Financial Services, Healthcare, Hospitality, Ticketing and other sectors, we definitely agree – but don’t think that you can afford to wait even that long to tackle the problem given the sheer pace of client-side attacks

In 2020, there were 425 “Magecart” (read: client-side attacks) incidents per month. Targets of these attacks included household names such as Macy’s, Ticketmaster, the American Cancer Society, P&G’s First Aid Beauty, British Airways and many others.     

The barrier of entry for the scum that carry out these attacks is incredibly low – with Magecart exploit kits now selling on the Dark Web for around mere hundreds of dollars – and the knowledge of just how easily they can perpetrate these attacks is spreading.

Some of Gartner’s Thoughts – Some of Our Own

In its report, Gartner speaks to a few potential obstacles for adoption – all of which we’ve encountered in our conversations with clients and have helped them navigate around.

First, they point to the fact that the client-side security conversation is technically complex and that many organizations will need time to reach the conclusion that protection for client-side apps is needed.

Our thoughts: While we agree that this isn’t a topic that is currently at the top of the list for every security team (and it should certainly be), it is one that is rapidly gaining attention given the pace of and impact of attacks. We have a ton of happy clients you can speak with that can help you understand how and why they drove this as a priority – or you can take a read on any of our case studies – just drop us a line to get that conversation started!

Additionally, the great news is that the way Source Defense has architected its solution makes it likely one of the easiest to evaluate, own and operate that you’ve ever seen.

The next thing Gartner points to is something we’ve seen multiple times and can help you work through – namely that there are likely three different groups that would need to be involved in the decision process. Development, Security and Digital are the teams we encounter most often, and these are the same teams that Gartner highlights.

Our thoughts:  We find that this ultimately comes down to a joint decision between Security and Digital. Security has the ultimate goal of thwarting these attacks and Digital has a desire to be able to securely add in new partners without impacting either Security or Compliance postures. We can help you navigate your internal conversations and get everyone on the same page with a green light decision to deploy. That green light comes rather easy once the Digital team realizes that Security is enabling their business and that there are actually performance enhancements that come from deploying Source Defense – in the form of faster page loads. Can you imagine that? Telling a business stakeholder your security solution has added benefits? As another added bonus – we’ve seen many clients fast track their purchases when budget isn’t available from the Security team by working to use budget from the Digital team.

As with any enterprise security solution – there are stakeholders to consult. That said, we’ve helped navigate these internal conversations time and again and can help get over any roadblocks as a result.

Another key piece of advice that Gartner provides relates to what to do about the problem – but here is where they need to understand a little better what clients like you actually want and need. No fault to them, this is their early assessment and they’ll soon see the problem with the advice they’ve given the same way our clients did when evaluating approaches that differ from ours. They advise that you look at approaches that detect/monitor JavaScript and identify/alert/report on malicious or abnormal behavior.

Our thoughts:  As you take a look at the vendors in this space, you’ll see that the majority of  tools available can monitor and alert on potential malicious code in JavaScript running on the client side. But are they the answer to the problem or are they going to create more problems for you to deal with?

While it’s certainly better to know about a threat than not, these tools don’t prevent attacks from happening. They simply detect. The onus is then on your teams to investigate every alert, determine whether it represents a true threat, and remove the malicious code. This could result in massive overhead in responding to alerts, many of which will be false positives coming from abuse of power by your third parties. We’ve seen millions of examples of non-malicious incidents which would trigger solutions that detect and alert – meaning you’ll either be drowning your existing teams even further or needing to add dedicated resources at a time when finding people is a major challenge.  It is a step forward from where you are today – and there are times when detection only might be a good first step, but prevention by default is the ultimate solution to the problem. You may be able to stem the bleeding, but you’ve not prevented the attack from occurring – so despite noble intent and your investment, the risk to your organization isn’t fully mitigated.

Source Defense – the Web App Client-Side Protection Solution You Need!

Source Defense provides real time detection, protection and prevention from vulnerabilities originating in JavaScript. Our patented Website Client-Side Security Platform offers the most comprehensive and complete solution to addressing the threats and risk that comes from increased usage of JavaScript, libraries and opensource today. What you’ll love about Source Defense is that we do all of this without adding operational burden, without slowing time to market with new 3rd party capabilities, without generating thousands of alerts that must be investigated…and without impacting performance of the customer site experience.

We’re pretty cool tech that you should take a look at – and you should take a look at it now. Your peers are already making the investment, Gartner is signaling that this is something you need to have on your list, and we’re ready to help you today.

Drop us a line or
request a demo to see Source Defense for yourself!

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.