Published on February 25th, 2019
Written by Sanjay Sawhney, Co-Founder and VP of Engineering

Modern web applications and websites today behave very differently compared to just a few years back. I want to highlight two of the most important changes that have changed the way in which the web works, with very important implications for security.

Change 1: Execution moves to the Client

Modern web apps have become very “client-heavy” when it comes to code execution. Prior generations of web applications performed code execution and data storage on the server, and sent <html> to the client for rendering. Back then, our client devices were not powerful and acted as simple display screens for the web.

Today’s web applications perform a significant amount of code execution on the client via javascript. This is because modern web applications want to provide a native, desktop experience on the browser – so that a web app is as interactive and functionally rich as a desktop app. Modern web apps even store a lot of information directly on the client (e.g., AppCache, IndexeddB) – this allows apps to have “offline” capabilities such that your mail, document editing or navigation web apps work even when you are not connected to the network.

What does this mean for security? It means that when you think about protecting your web app, you had better know what is being executed on the client. Secondly, your web app is storing potentially confidential app data on the client. Network or server based security products have no idea what is getting executed on your client.

Change 2: Explosion in Third Party Integrations

Today’s web sites integrate dozens of third party service providers, all the way from user analytics to marketing tags, CDNs, third party javascript libraries and so on. When your web user types on their browser, they are not only visiting your server, but a dozen others. Type, for example, and your PC or mobile is pulling scripts, images etc., from dozens and dozens of other servers that don't belong to CNN. All those third party servers have the ability to execute code on your user’s device, collect user data from their devices and so on. This is how many of the recent cryptojacking attacks have transpired where a compromised server was serving cryptomining code to users. Even the recent breach of user data on Delta, Sears and Best Buy sites was due to a compromised chat agent.

What does this mean for security? If any of those 3rd party servers is compromised, your user is compromised - so web app owners need to understand and restrict what actions 3rd parties are able to perform on their user's devices.

Drop me a note and let me know if you want to know how Tala can help you defend your web apps and users against advanced attacks.

Sanjay Sawhney, Co-Founder and VP of Engineering

Sanjay Sawhney, Co-Founder and VP of Engineering

Sanjay Sawhney is the co-founder and VP of Engineering of Tala. Sanjay is an experienced, engineering leader, technologist and entrepreneur who has worked for 25+ years in various engineering capacities in both well-established companies as well as startups. Most recently, he spent 9 years at Symantec managing Symantec Research Labs, one of the key innovation engines of the company. Prior to joining Symantec, he co-founded two companies and led their engineering – Neoscale Systems, a data encryption company, and Ukiah Software, a network security company. Earlier in his career, he has worked in various engineering positions at Novell. Sanjay received a B.Tech. in Electrical Engineering from Indian Institute of Technology, Delhi, and an M.S. in Computer Science from University of California, Santa Barbara.

Find Sanjay on LinkedIn


Sign up for our Newsletter

Hand-picked security content for security professionals.