While most organizations recognize the need to protect their web apps, their efforts tend to focus on the server side, leaving a critical attack vector exposed: the client side. The fact of the matter is the entire web application ecosystem must be protected, end to end, and that includes mobile, JavaScript, desktop, server and API.

Are you only protecting your backend?
Web applications are client-server apps, performing operations on clients (front end) as well as servers (back end). Since servers reside on your corporate network, conducting transactions and maintaining high-value information such as usernames, passwords and usage data collected by the application, they are enticing targets for attackers.

To protect your business, data and customers, you probably have already implemented traditional application security tools for your server. A common solution is a web application firewall (WAF) to stop network-based attacks. However, even a WAF that claims to be at the application level sees only what’s coming on the network – it cannot see what’s happening on, or through, the browser (client side).

Why network security alone is insufficient
If an attacker analyzes the browser to see how client apps behave, the WAF will be none the wiser. Furthermore, the attacker can use this knowledge about the application’s behavior to more effectively outsmart the WAF in a client-based network attack.

Attackers know they can compromise a server via a client-side exploit or vulnerability, and that risk only grows as more and more application logic is executed in the browser. As more applications move to the cloud, more application logic will be executed in the browser. In addition, JavaScript is becoming more functional. New development frameworks like ReactJS and AngularJS are being used to build single-page application user interfaces with more functionality and back-end integration capabilities than ever before.  

The more we rely on browsers to perform complex tasks, the bigger the attack surface grow. Unprotected JavaScript is a particularly compelling target since it’s delivered in clear text and can be easily interpreted. Attackers can leverage this vulnerability to reverse engineer a web application to understand its logic and how it communicates with the server. Additionally, if your API keys are not adequately protected, you could be providing direct access to your backend. The more easily an attacker can understand web app code, the faster they can attack your server in a more intelligent manner. As reported by CSO Online, the average cost of such a breach is $3.5M.

How to protect the client side
Web apps can be protected by inserting protective code during development that obfuscates and deters reverse engineering. JavaScript can be protected with obfuscation, encryption and additional techniques designed to frustrate attackers, and runtime application self-protection (RASP) can detect whether the JavaScript has been modified. These security precautions can help protect client-side web applications – and provide additional layers of server protection – helping to prevent a breach and subsequent brand damage, financial loss, intellectual property (IP) theft and government penalties.

Secure both client and server to protect your business
When starting any web app project, you need to consider protecting the entire application ecosystem. Unfortunately, web app frontends have been notoriously ignored while organizations focus on securing the backend. Without proper protections, web-based apps can serve as a useful tool to help attackers more effectively target server assets. By taking a comprehensive server and web app approach to application security, organizations can ensure they aren’t locking one door only to leave another one open.