Guidelines for Operationalization of Web Client Runtime Security

Introduction

Web Client Runtime Security (WCRS) refers to the security or behavior of the code executed in users' internet browsers during their web interactions.

The first part of this series discussed why WCRS as a security discipline warrants specific attention in addition to traditional web application security solutions. The second article covered the limitations of traditional security solutions in addressing WCRS risk and proposed implementation options in terms of newer security mechanisms or solutions. This third and final article includes seven suggested steps or activities that organizations may find useful in operationalizing their WCRS programs or capabilities. These steps should provide a potential roadmap for organizations to obtain meaningful outcomes from WCRS solution implementation efforts.

Step 1: Discovery

The first step in implementing WCRS solutions is to conduct a thorough discovery phase including all web applications and their associated third-party scripts. This involves creating an inventory of web assets and mapping out all dependencies, including those introduced by third-party services. By understanding the full scope of the application environment, organizations can identify key web applications that need to be protected and prioritize security efforts accordingly. The discovery phase is critical as it sets the foundation for subsequent steps and ensures that no critical assets are overlooked and left unprotected. The main objective of this step is to identify all web applications and monitoring requirements.

This effort could leverage configuration management databases (CMDB) as a starting point. However, it may be the case that some CMDB systems may not always yield accurate and up-to-date information. Implementation teams may therefore need to perform domain name system (DNS) and IP-based discovery against internet and intranet networks as such actions can uncover additional undocumented applications that may require protection.

By understanding the full scope of the application environment, organizations can identify key web applications that need to be protected and prioritize security efforts accordingly.

Step 2: Prioritization of Web Applications

When the discovery phase is complete, organizations should prioritize web applications for WCRS monitoring based on their risk profile. Factors such as the sensitivity of data handled, the volume of user traffic, and the criticality of the application to business operations should be considered. High-risk applications should receive immediate attention, while lower-risk applications can be addressed in a phased manner. This prioritization ensures that resources are allocated effectively, initially focusing on the most critical areas to maximize security impact. 

Step 3: Justification and Minimization of Third-Party Scripts

Organizations should assess the necessity of each third-party script and remove or replace those that are non-essential or pose significant risk. In other words, organizations should prioritize minimizing their attack surface, as reducing the attack surface is a key aspect of WCRS. This involves evaluating the functionality provided by third-party scripts against their security implications and seeking alternative solutions where possible. By minimizing the use of third-party scripts, organizations can reduce the likelihood of vulnerabilities being introduced and improve overall security.

Step 4: Policy Development

Organizations should establish policies designed to block unwanted scripts and behaviors by implementing automated technical controls, such as WCRS vendor solution policies, content security policies,¹ sub-resource integrity checks,² and other security measures. Vendor solutions that enable behavior-based policies should be leveraged to reduce high-risk behaviors, such as keystroke logging and limiting access to sensitive data fields to a specific group of trusted scripts. These policies should be designed to balance security with operational needs, ensuring that legitimate business activities are not disrupted. Regular reviews and updates to these policies are necessary to adapt to evolving threats and changes in the web application environment.

Step 5: Alerts and Response to Changes

Timely detection and response to security incidents are crucial for maintaining a strong security posture. Organizations should implement mechanisms for real-time alerting and monitoring of changes to client-side scripts and behaviors. This involves adapting security policies to reduce false positives and ensuring that the volume of alerts received by security operations staff is commensurate with the size of their team. Clear response protocols and escalation paths should also be established, enabling security teams to quickly address incidents and mitigate potential risk. Last, it is important to ensure continuous monitoring and adaptation of these processes in order to maintain an effective security response over time.

Step 6: Third-Party Risk Management

Managing risk associated with third-party scripts requires close collaboration with vendors and adherence to regulatory guidelines. Organizations with Payment Card Industry Data Security Standard (PCI DSS) compliance obligations should follow the latest PCI requirements³ and guidance on engaging third parties for script integrity checking and ensure that vendors are aware of their impact on security. On 1 August 2019, the PCI Security Standards Council issued a bulletin⁴ addressing the threat of online skimming to payment security. This bulletin underscores the critical need for third parties to understand their role in securing payment pages, a message that remains highly relevant for organizations today. Additionally, organizations should refer to guidance from the US Office for Civil Rights (OCR) regarding the protection of protected health information (PHI).⁵ By maintaining robust third-party risk management practices, organizations can ensure that their security measures extend beyond their infrastructure.

Step 7: Governance and Accountability

Establishing a governance framework and regular reporting mechanisms is essential for maintaining oversight and accountability for WCRS efforts. This involves defining roles and responsibilities, setting security objectives, and tracking progress against these goals. Regular reporting to stakeholders provides visibility into the effectiveness of security measures and highlights areas for improvement. Continuous improvement processes should be implemented to allow security practices to evolve in response to emerging threats and changes in the regulatory landscape. By maintaining strong governance and reporting structures, organizations can ensure that WCRS remains a priority and is effectively managed over time.

Organizations should consider implementing governance dashboards, such as the one shown in figure 1. These dashboards may include click-through functionality, allowing stakeholders such as line of business (LOB) and technology (LOT) owners and information security, compliance, and internal audit teams to readily review the underlying information or data for their respective needs.

Figure 1—Example WCRS Dashboard

Conclusion

WCRS is crucial for any website utilizing third-party code. Given the increasing complexity and functionality of modern websites, it is nearly impossible for commercial sites to avoid the use of third-party code during client interactions. As a result, ensuring robust WCRS measures is essential for maintaining website security.

The authors hope that the solutions covered in the second article of this series, along with the operationalization strategies outlined in this final installment, offer readers comprehensive guidance regarding the next steps for implementation within their respective organizations.

Endnotes

¹ Mozilla Foundation, “Content Security Policy (CSP),” 10 January 2017
² Mozilla Foundation, “Subresource Integrity,” 21 September 2015
³ PCI Security Standards Council, PCI DSS: v4.0.1
⁴ PCI Security Standards Council, “The Threat of Online Skimming to Payment Security,” 1 August 2019
⁵ U.S. Department of Health and Human Services, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” USA, 1 December 2022

Sergei Vasilevsky, CISSP

Is the founder and president of ILIAM Consulting. Sergei has over 20 years of cybersecurity consulting experience, beginning at a Big 4 for 7 years. ILIAM Consulting provides customized cybersecurity and compliance solutions related to application security architecture, vulnerability management, identity and access management, and regulatory compliance. Its work spans multiple industries, including finance, healthcare, and aviation. You can reach Sergei at http://www.linkedin.com/in/sergeivasilevsky/

Kamal Govindaswamy, CCSP, CISSP, CIPP/US

Kamal is the co-founder and security practice leader at Tueoris. He has been a security consultant for over 20 years, beginning at a Big 4 for 6 years. He has served clients across not-for-profit, healthcare, retail, financial services, life sciences, insurance, and consumer business industries. You can reach Kamal at http://www.linkedin.com/in/kgswamy/

Readers are encouraged to contact the authors on LinkedIn for any additional guidance or help with any follow-up questions.