The Nature of Application Code
Rui Rubeiro of Jscrambler on Lowering the Security Risk of Using Third-Party Code July 14, 2022 24 Minutes"On average, a web application or a website is running 66 different external JavaScript components," says Rui Ribeiro, founder and CEO of Jscrambler, a company that monitors and obfuscates JavaScript code.
Ribeiro says we use a lot of third-party code - mostly JavaScript - when we build mobile and web applications, and the third parties often can access data in other parts of the application, creating security risks.
In this episode of "Cybersecurity Unplugged," Ribeiro discusses:
- How Jscrambler monitors for "malicious behavior" in web application code and stops it;
- What polymorphic obfuscation is and how it can deter attackers;
- How to use third-party code and still have a high degree of security.
Ribeiro is from Lisbon, Portugal, and specializes in code security. Having led Jscrambler since 2014 from a pure bootstrapped operation to a growing business, he continues to serve thousands of customers plus the Fortune 500.
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Details
Steve King 00:13
Good day everyone. I’m Steve King, the director of cybersecurity advisory services here at cyber theory. Today’s episode is going to explore website and application code integrity. And with me to explore that topic is Rudy Ribeiro, the CEO and founder of J scrambler, a bootstrap global business that now serves over 43,000 customers worldwide, from Lisbon, Portugal, who specializes in code security. Rui has led J scramblers. Since 2014, from a pure bootstrapped operation to a growing business, serving those 43,000 plus the fortune 500. And that completely amazes me really, so I, I am I’m overwhelmed with that accomplishment. So fantastic. Congratulations to you, and and welcome to the show. And thanks for joining me today.
Rui Ribeiro 01:12
And thank you for having me. And thank you for this introduction. And we’re really happy to be here.
Steve King 01:18
Yeah, I’ll bet you are. Your top line messaging and your marketing material says you can protect applications against abuse and privacy and tampering and code theft, and use enterprise grade obfuscation and COVID locks and other self defense techniques. It also says you can do something similar for websites against web supply chain attacks, and online fraud by I guess, detecting and controlling client side behaviors. Can you explain to our audience exactly how you do that? And describe the similarities between application and websites within this context?
Rui Ribeiro 02:01
Of course, of course. So let me start by the last question that you put. So most web and mobile applications today are using JavaScript, because companies want to have a single codebase lower cost of development, shorter time to market and provide an omni channel experience to their users. So that this means that when I open a web application on browser, or on iPhone, or or on an Android, they have a very similar experience, if not the same experience. And so when we are talking about applications and website, we are basically talking about all mobile or browser apps that use web technologies. For us, it’s no different if the technology that they’re using is the same, we are able to address the security concerns of these applications. But if you look at it, a web application is basically built using two big parts. The first one, which is the app that the owner of the application builds itself, the first part of the code. And the second part, which is the code that he brings in from third parties, which are we’re going to call cert particle. And so companies must make sure that they’re able to protect not only their own code, but also every piece of JavaScript that they had to their web application. Because every one of these sources can be a potential security problem. So they must verify that it’s not tampering with forms or leaking the user data. So we are entering the realm of supply chain attacks you previously mentioned. Also the term mage cart, it’s also part of that class. And this happened because on average, a web application or a website is running 66 different external JavaScript components. Wow. It’s a huge number. And the problem is that each time you when bad, a third party, they basically all have the same privileges. So they can do whatever they want to the web page. I’m simplifying. But let me try and give you an example to make this more real. So imagine that you’re logging in to your bank account. On the right side, you have the login form of the login form. And on the left side, you have a video player that is promoting the new credit card that the bank is is starting to announce. So that video player as no secret no known vulnerabilities, no, no CVS, it is an external component. Of course, because the bank is focused on developing its own features. It’s not going to develop a video player and biologic while It is on the login page, it shouldn’t access the login or password data. Okay? This is the context. But if that video player as a configuration error, it might start accessing the password of everyone that is trying to log in into the bank’s web page. But if you look at it, why? Why would a video player start to access the login and password information? Because that same video player, if it’s used by a media company, it must first check login and password before playing any content. Sure. So it’s the context, the context is exactly incredibly important from sold the same component. If it’s intermediate company, there is no security problem, if it’s an on a bank’s web page can become a security risk. So going into the context, like why is this important, maybe they could push the problem is with the provider of the video player. This has changed. So a lot has changed in terms of the responsibility of the data. And all the industries from banking to e commerce and media, all of them always understood this. But now with the new norms like GDPR, CCPA, and all the different counterparts all over the world, it is clear that they are responsible for any data breach, be it from them directly solve a problem that they created, or from any third party that they bring in to the application itself. So we have the context of, okay, we build websites using a lot of third parties, these third parties have a lot of access that they shouldn’t have. And there is a big liability risk. And that’s where we started. So we wanted to build a simple and effective solution that dealt with these processes with these problems. And we go about it. Because we want to secure and monitor every JavaScript that’s running on a web page. So all the JavaScript first and third party. By doing that, we are helping the companies protect their users from attacks, which is what is more relevant and more mediatic, from fraud from harmful third parties, but also from simple problems that occur from Miss configuration and errors like the one that I shared with you the video player on the banking website accessing login and password.
Steve King 07:36
Yeah. So you know, on the supply chain said, as you said, you you monitor JavaScript, and can identify all that corrupt code, then do you block those incidents? instances where you find them? And then eradicate them? Or how does your product work? Similarly, on the client side applications, and is that in play, whether you’re desktop or mobile? Or do you care,
Rui Ribeiro 08:02
we care, but that we can cover all of them. So but it’s interesting that you started by talking about corrupt code. But we have found that most of the times the problems is not just corrupt code or attacks. So let me try and go back to another example. A web application is built by multiple teams, for example, we have the marketing department and the marketing department uses tag managers that allow them to add external third party JavaScript on the fly. Right? You’re already you’re feeling the problem coming? Yeah, sure. So if the marketing department wants to install a new tracking tool, that’s fantastic. And that will really help them make a lot of money on the next Black Friday event, they can do it at the click of a button. But what the marketing team didn’t know was that that JavaScript that they added to the page is also bringing in a big security risk, because it can access and does access the email of every single user on that website.
Steve King 09:10
Amazing.
Rui Ribeiro 09:12
And that’s why it’s a big, big security risk, which is almost impossible to predict when you you’re starting to build on my reputation. It’s only when it is at the execution level that it makes sense. So in fact, so no code was corrupt. Nothing was changed to the to the source code of that ecommerce website, but all of the sudden they have a very big security problem. And that security problem cannot be verified by looking at the origin of the code because that it came from that Tag Manager. So in some contexts, it could be a pre approved source, or the identity of the vendor that is being added to the to the website because although the identity is is valid and comes from a trustable company, it can create that security problem just because of running in that context, they cannot access that type of data. And so we focus a lot. It’s on the behavior of the code. What does it do with the user data? And you asked specifically, like, how does the blocking happening and down, the eradication process happens. So trying to do it in a nutshell, so we monitor the client side code, and we monitor every user session. So all users that are engaging on that website, we are seeing what the every code is doing. And we detect any malicious behavior and stop it. Okay, so we inventory all the JavaScript modules, that’s the first step that are running on the client side, of course, we identify what they are doing. And if there are implications for their users, knowing that so having that information, we can enforce policies that allow certain scripts to do to have one level of access and the others not to have that same level of access. Going back again, to the example of the video player, we will allow it to play video, but we won’t allow it to access foreign data. Right, okay. And that combined with the fact that we are able to protect also the first part of party code, all of these strategies together, create a very resilient web application that is able to provide a secure experiment experience to the end user. So monitoring and stopping the attacks at the origin.
Steve King 11:37
Yeah, that’s great. Two words polymorphic obfuscation? If we have 100 people listening to us right now, 99 of them don’t know what that means. Could you explain the nature of polymorphic, obfuscation? Kind of how it works? And how J scrambler deals with it?
Rui Ribeiro 11:59
Okay, I can try? Yeah, the objective of obfuscation is to raise the bar to the point of where the attack becomes unprofitable. So let’s look at it like an economic problem. If it takes too much time, and you’re just too much resources, I won’t do it. And polymorphism is, inoculation means that we are able to protect the same code and generate at each protection, totally different versions of that code that achieve the same goal. Okay, but go through it in a different process and look totally different than that, in fact, totally different. But why do that? Why have 1 million versions of the same code, because then you have 1 million problems that an attacker has to solve? So, again, it’s about raising the bar in terms of, of security.
Steve King 12:56
More difficult for the bad guys, right?
Rui Ribeiro 12:59
Yeah, and this is very important for automated abuse. So things like bots. So PlayStation five was nearly impossible to buy for a long time, because we had scalper bots that were constantly buying all the stock and then reselling it at a very high price on the secondary market. If you look at it, like we’d polymorphic obfuscation, we could slow down those bots, just because every time they tried to do that purchase, they would be looking at the different code bases, and they wouldn’t be able to automate that process. Because the context would be totally different. It’s not that simple. I’m oversimplifying. But the idea here is the idea is we provide multiple problems. And so we avoid the automated abuse of of applications.
Steve King 13:47
Yeah, sure, that makes sense. But, you know, a couple of million versions is not going to make a difference to a bot who can probably solve that problem in sub second response time. You have any prognosis about how 5g is going to impact that process?
Rui Ribeiro 14:06
5g is about network connectivity, it’s you will have I’m not a bot detection company. But for them, it’s a bigger problem, because they will have not because of 5g but because of ipv6, they ipv6 They have a lot more IPs that they need to trust or not trust. But I don’t expect 5g to be an increasing problem for for these companies. And for the solid process of bot detection.
Steve King 14:32
We ever ensure going to mess with a network. So that’s that’s all Yeah,
Rui Ribeiro 14:36
More boundaries, more people more data. Yeah. That’s an increasing problem. That’s that’s for sure.
Steve King 14:44
No kidding. You’ve had success in the operational technology markets as well, the, you know, ot space or IoT space are their customer success stories there that our audience might relate to
Rui Ribeiro 14:59
you I’ve had a lot of success in the OTT market, which is related to video player. So media companies that that’s where we have been had a lot of traction. So media companies in commerce and banking, those are like the places where we have more most traction. And in the case of Ott, so media companies, I think that the biggest change that we have seen is that previously, we consumed the media in setup boxes in the living room. And now we are able to consume media everywhere. But they still have the same security requirements for their applications. And that’s where we come in. So we have helped companies protect their OTT applications. And we enable them to be competitive when and provide a secure streaming experience in any, in any environment, on a mobile on the computer on the browser in any of those situations.
Steve King 15:55
If you stay in media swim lane, what are the next challenges you’re, you’re going to have to address to continue to be competitive.
Rui Ribeiro 16:05
Media is a it’s always complex, because they are constantly evolving, we want to consume content that is unique, that is immediate. There, it’s more on more about the accessibility, being able to decide what you want to watch now, other than what it was before, like when you add like pre packaged content that you’d sell for years and years, like for example, a film today. It’s about sports, it’s about live events, where media companies will have to focus to to differentiate themselves.
Steve King 16:41
Yeah, sure. So tell me about competitors, their most, you must have a bunch. But you’re in a leadership position. I mean, you’ve accomplished that which is amazing. What can your customers kind of look forward to in the future from you guys,
Rui Ribeiro 16:58
we have a goal, we want to provide a very simple solution to a very complex security problem. And then the need is there. So finance ecommerce, they need to protect their user data, they need to improve their compliance. And companies are already already struggling with implementing a good user experience. So we want to take the security problem from them. And we want to help them in that part. So an e commerce website, it has lots of services that have been bundled into that experience. So payment processors, analytic tools, helpdesk systems, advertising, marketing, marketing, tools, shipping, whatever. And they must all work together, all these modules must work together. Most of the companies, they are not as conscious as they should be on the risks of bringing in all these third parties. And even the third party security is not on par with most of the Commerce or banking companies. And so we have found that the example that I was that I was telling you, so a third party company that all of a sudden starts to access a new user email and capturing user data. And we want to stop that. So we want to work with the commerce companies, the banking companies, so that they can be agile, be more competitive, so allowing them to use those third parties without having a concern that it might compromise their use of data. be faster, of course, sell more if it’s an ecommerce company, but above all, avoiding all those compliance risks. We don’t want to be a security company that blocks our customers from moving forward, we want to enable them to move forward, we’re not going to say don’t use third parties. What we are meant to say is we have a system that allows you to use third parties and move forward and still have a very high security stance.
Steve King 19:06
Yeah. Great. Final question here. And I’m conscious of the time I don’t know when notwithstanding the recent crash in the cryptocurrency markets, it’s still incredibly popular and and you know, as a result, it’s, you know, continues to expand the threat landscape pretty dramatically. Do you manage anything in that world and how does that impact your Scrambler?
Rui Ribeiro 19:35
So crypto is always a complex, a very complex topic because for most people don’t understand the implications of crypto, but trust it and put money in crypto. Yeah, no. All right. So, and one of the main security problems that it’s clear for me is that when you do transaction in crypto, it’s the On many moves from one entity to another, and most of the time, it’s not result reversible. And it is anonymous, also in many, many of those situations. So it is an ideal candidate for fraud. And they are aware of it. And the companies that deal with crypto are aware of it. And they try to ensure an extremely high level of security in their apps. And we help in those situations. Because you engage with the app, either when you do accessing from my own, you’re accessing your crypto wallet information or when you make a transaction. And that’s why tooling like ours is incredibly important also for the crypto industry. But it is, as you said, it’s growing so fast, and it is a very high, I benefit target nine high, the attackers have a motivation to continue to do fraud in this space. These problems are not only from crypto, they are not specific to crypto, it applies to all money transactions, we also have a new trend that is instant payments. And you feel look at the classic credit card transactions, they are still a primary target of attackers. And the industry knows that third party and JavaScript and running codes and building up complex applications that run on the browser or not or on the mobile devices is a complex process. And if you look at the latest regulations from the PCI DSS and the PCI DSS is, is a standard that everyone that accepts credit card must comply with, it already mentioned the need to monitor third parties and ensure the integrity of the JavaScript running in the browser. So what does this mean in the context of credit cards is in the future, every company that accepts a credit card payment must comply with the standard. And basically, our tooling will help these users and the merchants that are accepting the these payments to provide a secure payment solution for their end users. And so we believe that what is happening now on credit cards will apply to all forms of payments, not only credit cards, but also instant payments, crypto and and other solutions that will exist in the future.
Steve King 22:25
Yeah, sure. And, you know, the money exchange, as it continues to evolve, and it’s very different today than it was 15 years ago. I’m sure it’ll look very different in 15 more years. But as long as, as long as Java scripts around, you guys will be doing great. So I want to congratulate you once again for the last eight years at bootstrap to 43,000 is absolutely amazing success. I appreciate you taking the time today to help us understand some more about your business and and explain some of the intricacies of your markets. So thank you once again, Rui, I appreciate you, as I said, taking some time out of your day.
Rui Ribeiro 23:11
Thank you for the opportunity. Steve. I really enjoyed talking about these topics. I hope that I was clear and then that help people understand a little bit what
Steve King 23:20
yep, I think so. Thanks again and we’ll talk soon. Thank you. Take care.