In recent cyberattacks, three notable sites—Macy's, Smith & Wesson and UK retailer Sweaty Betty—were hit with similar Magecart-style attacks to steal shoppers' personal information. The message is clear: websites and web applications are vulnerable, and existing security deployments are not sufficient to safeguard against client-side attacks.
Why is this happening?
Modern web architecture creates an environment in which up to 70% of the code rendering on websites today comes not from the site owner’s server, but via JavaScript integrations operating outside the security controls the majority of site owners deploy.
Web developers love these integrations for their dynamism and analytical capacity. Unfortunately, because these integrations are largely unmanaged and unmonitored, they substantially expand the attack surface, introducing significant risk to the business, and its end-users.
But in a world where client-side JavaScript is used by 95% of all websites, how can you manage and secure against that risk? The problem is that most organizations are basing their web security strategy around monitoring the server—which made perfect sense 15 years ago. Today, the point of execution is in the browser—and that’s where today’s web security strategy has to go too.
Taking a Cue from Google
Google was the first to recognize that the modern web would run on innovative, sophisticated, JavaScript-oriented applications. They built powerful technologies into the browser, delivering the kind of functionality that previously ran over .exe files.
As they built Gmail and Google Maps, they began to see potential security flaws in these new applications, long before anyone else did. So while they were pioneering these technologies, they began building the controls needed to protect them.
Other companies innovating in this space did a great job of increasing functionality—without bridging the security gap that was opening up. And that’s the gap that cyberattackers like Magecart are looking to exploit.
If today’s web is built around client-heavy, JavaScript-based applications, it stands to reason that we should be using the same standards-based security for these applications.
These are native to all modern browsers and web application frameworks, but a shockingly low number of companies take advantage of this: only 2% of U.S. Alexa 1000 websites are adequately secured against the types of attacks that hit British Airways and Macy’s.
Attacking the Browser
If an attacker can get into the browser, they can unleash several modes of attack: they can compromise the server (which is what happened with British Airways), they can compromise any of those 3rd party applications we’ve just talked about (as well as the dependencies they might have on 4th and 5th parties) or they can compromise the client.
What that means in practical terms is that they can steal data—as end-users enter it on a form (think credit cards, user credentials, healthcare information), via cookies or maybe data stored on local databases. They can also redirect users to a competitor or malicious site, show them competitor or malicious content or hijack their machines to use for crypto-mining.
Data at rest and data in motion are backed by established defenses like authentication, encryption and access controls. But on the modern web, the server is no longer doing the crunching, all it’s doing is sending JavaScript files.
The point of execution has shifted to the client, in the browser—what you really need is to protect the browser itself against attack. There are plenty of readily available and highly effective security measures (CSP, SRI, Referrer-Policy, and others).
Companies, however, have been slow to adopt them and often lack the resources to put these measures in place. Security teams don’t get the type of budget that marketing teams do, and there’s a significant gap in cybersecurity talent focused on application security.
We Need a New Way of Thinking
Closing those loopholes requires a shift in the way we think about web security. The web has changed so dramatically in the past decade, with people using it in ways we didn't imagine: think about the growth of the mobile web and the expanding Internet of Things.
Our security approaches haven't kept up the pace.
Every website can have the same security controls and policies that Google has in place to protect customer information. It's past time for security practitioners to pay closer attention to the highly targeted point of data origination and begin diligent and immediate deployment of client-side security.