Q&A: Supply-chain threats and client-side vulnerabilities

Attacks based on supply-chain compromise are on the rise, and the latest trends in app development are growing the attack surface for this kind of threat. Evolving client-side app protection technologies are an important factor in reducing cyber risk.

Fleming Shi is the Chief Technology Officer at Barracuda. With the recent launch of Barracuda Cloud Application Protection 2.0, along with the release of our 2021 State of Application Security report, we asked him a few questions about client-side security challenges and solutions.

Q&A with Barracuda CTO Fleming Shi

What are software supply chain attacks, and what accounts for the rapid growth of these attacks recently?

The software supply chain attacks that target applications are growing in large part because the attack surface for these threats has exploded. And that is the result of the latest trends in app development.

Traditional client-server web applications were developed to be self-contained on the client side, apart from data calls to your own server and occasional updates. You built your own widgets and designed the user experience using the tools you had.

But a major transformation has taken place before our eyes. To accelerate development, improve performance, and create cooler experiences, we’ve moved to using a whole lot of different third-party components that live on the client side and make calls to third-party servers.

For example, if your app uses geolocation, or presents your graph in animated 3D, or checks out your online purchases, it’s calling third-party services that deliver JavaScript and other data to be rendered on the client side. And if criminals compromise those third-party services, they can use them to embed malware that can attack every client instance, for example by skimming payment info or gathering credentials. Which, of course, can lead to very widespread and very costly data breaches or ransomware attacks.

And it’s important to understand that even though these attacks are relatively new—they first appeared in 2018—some of them are highly advanced and able to evade web vulnerability scanners. They’re growing in popularity, and they’re available as part of the mature cyber-threat economy. Hacker groups can easily buy an attack kit and get help customizing it to their needs from a dedicated customer-support channel.

What are the biggest challenges in securing against these attacks?

Well, once these scripts are added to your website, it’s very hard to get any top-down visibility on them because they are executed on the client-side browser or app. The attacks often go undetected for a long time and exfiltrate a lot of high-quality data.

The primary defenses in use today depend on strong content security policies. Unfortunately, these can be quite hard to configure correctly, and they are prone to false positives. Site scanning tools are another potential solution, but many of these scripts use obfuscation and anti-bot techniques to avoid detection.

Barracuda has released its 2021 State of Application Security report, based on a survey of global IT professionals. What stood out for you among its findings?

One thing that wasn’t a surprise is the finding that globally, 54 percent of respondents said they used third-party code in their web applications. A positive note is that many organizations recognize the risk of supply-chain attacks and are implementing security measures.

Content-security policy is the most common approach. Many are also using specialized tools such as JavaScript listeners and scanners. Some are using sub-resource integrity measures, but this is also quite difficult to set up and maintain.

Barracuda Cloud Application Protection 2.0 was launched recently. Can you explain how it helps secure against supply-chain attacks?

Barracuda Cloud Application Protection is a platform that’s built around our advanced, cloud-delivered web application firewall service, Barracuda WAF-as-a-Service. It brings together multiple capabilities that address specific issues, such as a threat-intelligence component, DDoS protection, advanced bot protection, API protection, identity and access control, and client-side protection.

Our client-side protection feature is built to automate the configuration of content-security policies and sub-resource integrity capabilities. This reduces errors and makes it much easier for IT teams to implement these measures and optimize effectiveness.

In addition, the active threat intelligence layer provides visualization and reporting to give admins more complete visibility into how scripts are used.

Client-side supply-chain attacks are going to continue growing—and developing better techniques to avoid detection—for the foreseeable future. Cloud Application Protection gives Barracuda a way to simplify staying ahead of these attacks by quickly implementing new countermeasures.

To get more info about Barracuda Cloud Application Protection, please visit our website.