Client-Side Runtime Application Security Defence

By -
edgescan vulnerability management
At edgescan we have built a pretty good continuous fullstack vulnerability management platform and have a list of very interesting clients across many verticals such as media, gaming, medical sciences, finance, cloud etc.

 We do a good job of finding, validating and risk assessing vulnerabilities across the full stack and helping our clients manage and protect their systems from a security breach and reduce Bugbounty costs...

 More Here: www.edgescan.com
An elephant in the room:
edgescan elephant


 Client Security

 One important part of security is a difficult "nut to crack" is client side security: 

 We don't know 
  • if a user is patched;
  • using an old insecure browser;
  • is infected or compromised 
We have not way of knowing the "health of our users" whom use our web applications. 

 A common vector of attack is not to attack a system or service but to attack users given they are generally less secure.

 To that end the product development team have built "edge-guard' which in effect detects client-side threats and anomalies.

 Many variants of malware use HTML rewriting / webinjects to redirect and steal credentials or other data by rewriting the browser pages displayed to a client.
Examples such as 
JQuery Rewriting
Mosquito


 edge-guard detects client side attacks within the browser or DOM and can inform you if your client is infected and a possible risk to your business. Attacks such as

  • HTML rewriting,
  • Form re-direction,
  • Link spoofing,
  • XHR DOM exfiltration, and
  • DOM/Reflected XSS

can be detected by notifying the monitoring service and its users intelligence such as
  • Type of infection, 
  • IP of client, 
  • time stamp, 
  • location of incident in application (page in application).
You can get a reference implementation here:



A video explaining the overall solution is here:




edgescan RSA

Comments

Post a Comment

Popular posts from this blog

By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA...
Read more

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion

By -
Image
I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game.... https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078  A recording of the Panel with Andy Purdy, CSO of Huawei North America. https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s Both are decent and worth a listen.
Read more

How Simple can it be.....XSS Prevention....

By -
Cross Site Scripting is sill a very common web vulnerability. Generally it is used to attack clients/users. It can be used for malware upload, botnet hooking, keylogging, a payload delivery system for clickjacking and CSRF attacks and much much more, all for 6 easy payments of $9.99...sorry got carried away there :) But is is easily preventable. You dont even have to know what XSS (type 0, type 1, type 2, DOM, Stored, Reflected) is to prevent it. One pretty simple way to prevent XSS is to use the OWASP ESAPI (Enterprise Security API). A very easy tool to use/invoke. It's also managed and attended to by Chris Schmidt ....A great guy... Regardless of what it does....if there was a mandate to use it on all redisplayed external input a site could become virtually XSS free!! (all for 6 easy payments of......). It's easy to deploy.... 1. Include in JSP (Java version) 2. Invoke in JSP 3. Job done!!! We include it by <%@ page import="org.owasp.esapi.ESAPI...
Read more