Page 146 - Cyber Defense eMagazine August 2024
P. 146
The PWA security challenge
Functionally, PWAs turn almost every app into a browser, and teams need to better understand the
specific and unique security issues that change invites. A typical modern website depends on dozens of
third-party scripts from outside sources, scripts which are then executed in users’ web browsers. These
code scripts enable all kinds of common and necessary functions, from chatbot interactivity to captchas
to social media features to marketing monitoring and analytics. Collectively, this browser supply chain
has been an increasing target for hacks. But with businesses now leveraging their website browser supply
chains within their mobile apps as well, this security risk (which has affected major companies from British
Airways to Kaiser Permanente) has expanded even more quickly in the past few months.
How to approach PWA security
Securing the browser supply chain to safeguard PWAs and end users’ data requires a thoughtful and
comprehensive approach. An effective browser-side security strategy should include continuous
monitoring and alerting of these third-party scripts, regular auditing, infrastructure protections, and
employee security training.
More specifically, comprehensive monitoring should cover both registry monitoring and browser-side
script monitoring, vet all script requests in real-time, and detect and block any malicious activities as they
occur and before damage is done. Third-party scripts should undergo full code integrity checks every
time they run—and absolutely before they are ever sent to a user’s browser. For registry monitoring, tools
should be in place to proactively identify and eliminate threats, even before they reach the development
environment. Sufficient monitoring should continuously scan and monitor the attack surface for threats,
and provide immediate alerting and automated countermeasures when vulnerabilities, harmful scripts,
and other active threats are surfaced.
Monitoring should also actively measure web script performance—with the multiple benefits of
recognizing anomalies while flagging optimization opportunities and better experiences for end users.
(Additionally, logging is crucial for enabling detailed historical analysis, especially in the aftermath of an
incident.) Studying this analysis provides key guidance for understanding the most acute risks and
improving security protections going forward. Conducting code reviews and audits at a regular cadence
will also help make sure every script supporting a PWA meets its organization’s established security
requirements and policies.
On the infrastructure security front, implementing a web application firewall will detect and block inbound
threats before they can reach web applications and exploit vulnerabilities. Organizations should also
implement malware scanning to safeguard script functionality, such as form uploads or any other avenue
where attackers might attempt to introduce malicious files or code. DNS security is also essential for
preventing malicious attempts to hijack traffic and data.
Finally, regular security training must be provided to development and operations teams working on
PWAs—continually keeping folks educated on the newest threats and evolving security safeguards. Even
with tools in place, employees and their security awareness (or lack thereof) often still play a decisive
role in whether attacks succeed or fail.
Cyber Defense eMagazine – August 2024 Edition 146
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
