Skip to main content

Web security - 2020 and beyond

(Image credit: Image Credit: Wright Studio / Shutterstock)

2019 shone a spotlight on how web technology is truly shaping business for better and for worse. At one end, it was a year of Magecart style attacks and the ensuing record-breaking fines; on the other, it was a year of growth for Neobanks who have leveraged modern web technology to redefine the paradigm of banking. Web security was a common bond. What should we be looking out for over the coming year (and beyond) with respect to web security in general and specifically in areas such as banking and ecommerce?

JavaScript security: As 2019 drew to a close, it highlighted just how much front-end technologies have grown during the last few years - all kinds of new frameworks, libraries and new tools. This rapid growth and the underlying thriving web development ecosystem have been key to close a decade of global digital transformation.

As we start 2020, web applications are the centre stage of most modern digital products and services. Every single Fortune 500 company is using JavaScript, yet most companies are still failing to protect exposed JavaScript against client-side attacks. This lack of client-side security is leading to some major data breaches, as companies still see application security as just another cost. With highly disruptive startups entering the market and an increase of sensitive logic that is shipped through the client-side, we will see a significant increase in the cost of attacks. Data breaches are growing over 400 per cent per year and the global cost of cybercrime could increase significantly during the 2020s. As a result, we will see investors and management becoming more aware of this key business threat - protecting JavaScript will become a major competitive advantage.

Banking: Neobanks have already initiated the battle to wrest away a good chunk of market share away from the ‘traditional banks’ (especially within the millennials segment). The incumbents, naturally, are trying to catch up on this front, betting on their own digital banking retail brands. In the UK, some of the biggest banks are launching a wave of new standalone online banks. This is largely viewed as an experiment with new technology and brands as they try to keep the digital challengers at bay. In one such example, Royal Bank of Scotland’s Mettle, which launched back in November, will be focusing on small businesses. RBS aims to offer a mobile phone-based means of managing invoices and expenses, targeting Mettle at micro-enterprises and sole traders.

Battling for supremacy

November also witnessed NatWest (a subsidiary of RBS) launching a digital bank to compete in this thriving Fintech space. Cloud-based bank Bo, which is live on both Apple’s App store and Google Play, is expected to compete directly with the likes of Revolut and Monzo, both well-known challenger banks in this space.

But as we witness more of these Neobanks appearing over the course of 2020, it is a timely reminder that both application security and JavaScript protection will be a key asset in the battle for supremacy - both to guarantee customer trust and to keep intellectual property secure. Specifically, by preventing code reverse engineering and ensuring that applications are able to automatically react to attacks in runtime, Neobanks can help to assure that they are prepared to meet attackers head-on and prevent automated abuse and intellectual property theft. It is clear that JavaScript protection will continue to be key to business success as the FinTech market grows.

Magecart: Magecart grew to prominence in the last half of the decade, for sure. And whilst the 2010s were just their "beta" stage, we can be sure that the 2020s will get much rougher - many more attacks and huge fines imposed until proper attention is given to the weaknesses of the web supply chain and the lack of client-side visibility.

The Magecart credit card skimming approach is most often to insert the malicious skimmer’s code into their target’s third-party providers - essentially known as web supply chain attacks. Starting in 2018, and continuing through 2019, there has been a clear pattern in supply chain attacks targeting the enterprise: a web-based vector of attack. The attack on British Airways, but also Equifax, Ticketmaster and Forbes were all achieved via malicious code that was injected into company websites via third-parties and then run in its users' browsers. In this way, a company's website or web app have become the perfect stages from where to steal user’s data.

Content Security Policy won't be enough

Many believed (and still believe) that Content Security Policy (CSP) is the way to go - yet, its many shortcomings mean that it won’t be enough to deter motivated attackers. In the light of bigger fines and bigger payouts to customers - in the UK there are already PPI style outfits offering compensation to customers who have been financially affected - companies can’t afford to wait for a cure that may never arrive. Instead, by detecting a Magecart outbreak in real-time with a web page monitoring solution, the Enterprise can mitigate Magecart before it does any real damage. We expect to see this approach gaining traction, especially once the C-suite takes notice, driving the need for solutions to take centre stage.

Rui Ribeiro - CEO and Co-Founder, Jscrambler (opens in new tab)

Rui Ribeiro - CEO and Co-Founder of Jscrambler. Former developer, team leader and project manager in banking and finance areas.