Digital Security for Websites: Exclusive Talk with Pakistani Ethical Hacker
Rafay Baloch is no stranger to software vulnerabilities and third-party exploits. This globally-recognized Pakistani ethical hacker and cybersecurity expert, who has won multiple accolades on international platforms and publications like the Wall Street Journal and Forbes, recently sat down with Reflectiz to share his thoughts about digital security for websites. Read on to learn more.
Rafay Baloch – From a Budding Prodigy to a Global Inflencer
This Pakistani security researcher started making the news when he was selected by Checkmarx as a “Top 5 Ethical Hacker of 2014”. This recognition came after Baloch exposed a series of Android bugs and a critical PayPal flaw (remote code execution) back in 2012, not to mention the unearthing of crucial vulnerabilities in multiple mobile browsers. He is now one of Asia’s biggest Cybersecurity influencers.
Besides multiple Web Application Firewall vulnerability exposures (check out his WAF Evasion Cheatsheet), Baloch has been acknowledged by Apple and Google.
He was recently selected by Reflectiz as one of the Top 21 Cybersecurity Experts You Must Follow on Twitter in 2021. Make sure you check it out. Baloch is currently based in London on a prestigious Chevening Scholarship and pursuing his Masters Degree in Cybersecurity and Forensics, prior to which he served in a classified cyber-policy related advisory role for the Pakistani government.
Third-Party Web Applications – A Double Edged Sword
Over 95% of organizations now use dozens of third-party web applications on their websites to accelerate time-to-market and bypass the need for in-house web development. Furthermore, the average eCommerce website today is implementing over 60 third-parties on average to boost tag management, advertising, marketing, social media management, analytics, and other business-related activities.
While these third-parties are saving businesses a lot of time and resources, they are also introducing a plethora of risks and compliance loopholes. We like to call this – security blind spots – gaps between your AppSec standards and data security. The cause? Lack of visibility when it comes to dependencies and vulnerabilities caused by the third-parties, which often leads to exploited software supply chains.
Baloch: “Client-Side Security is Hard to Achieve Today.”
When Rafay Baloch was asked about client-side security, he provided an insightful answer and started off by talking about the widespread use of Security Headers.
“Security headers have become common client-side security tools,” he said. “Browsers have implemented security headers for apps to prevent specific classes of bugs. But the very idea of developers solely relying upon security headers to address client-side security controls such as headers gives credence to the fact that they have failed to implement security at the proper place (i.e. the backend).”
Baloch went on to say that CISOs, CIOs, and developers should only treat security headers as a single layer of defense and should not look upon them as stand-alone client-side security solutions. He strongly believes that everything starts and ends with secure coding principles and practices. But he also acknowledged that third-party applications cannot be controlled like internal code.
“Client-side security has to be a multi-layered approach. There is no stand-alone cybersecurity solution today.”
“Software supply chain attacks have become a big challenge,” Baloch shared. “These risks arise from immense use of external scripts from third-parties in modern day apps. These third-party apps in-turn rely upon fourth-parties for executing critical functions. Compromise of any party in a supply chain could prove to be devastating and can allow an adversary to inject malicious code into your web application.”
Related: Top 2020 Cybersecurity Events: Key Takeaways for 2021
Discussing Today’s Application Security Options
After discussing the issues with third-party application usage on websites, Rafay Baloch also took the time to discuss today’s Application Security options.
Reflectiz: What are your thoughts about Content Security Policies (CSPs)?
Baloch: CSPs don’t address the underlying problems that come from software based supply chain attacks. By whitelisting a third-party, you are effectively trusting the code that comes with it. Browsers have implemented Subresource Integrity (SRI) that can be used with CSP to ensure that the integrity of the external scripts are not changed. However, it still does not address risk coming from fourth-parties.
To fix this, you would need to ensure that all parties in the chain use sub-resource integrity or a trusted chain, which requires a great deal of effort, time, and resources.
Reflectiz: As an ethical hacker, are Content Security Policies (CSPs) easy to bypass?
Baloch: CSP is difficult to implement, manage, and monitor in modern day enterprise environments. Simply put, if the CSP is stringent, it will simply break the web-application. On the other hand, if it’s too lenient, there will be bypasses. I see CSPs as a good thing to have, but only if you have the time and resources to properly manage it. From what I am seeing, this is often not the case.
Reflectiz: How do you recommend loading external scripts to websites securely?
Baloch: Addressing software based supply chain attacks arising from external scripts requires a multi-tiered defense with an in-depth approach.
First of all, developers should aim at reducing the attack surface by including least number of external scripts or not including them at all. Don’t look for the easy way out at any cost. Secondly, it is equally important for companies to know their supply chain, assess their security level and act accordingly. This has to be specifically addressed during the application design phase. Plan with security in mind.
“CSP should ideally be used with SRI, combined with a client-side monitoring solution with demonstrated efficacy.”
Reflectiz: What are your thoughts about Web Application Firewalls (WAFs)?
Baloch: Web applications are dynamic, WAFs are not. There is no WAF that I haven’t managed to exploit. You can read about my Sucuri WAF XSS Filter Bypass.
Third-Party Application Security – No Longer an Option
It became increasingly evident as the interview reached its conclusion that Baloch is a firm-believer in a multilayered application security approach, especially when it comes to third-parties on websites. Besides minimizing third-party usage and developing code with high integrity, he strongly believes in well-configured CSPs, SRI integration, and ongoing monitoring of third and fourth-party dependencies.
You can engage with Baloch via his Twitter Account and track the latest exploits on his Application Security Blog. There’s nothing better than learning from the best.