Challenges of a Secure Frontend

Challenges of a Secure Frontend

Hello, I’m Gustavo and I’ve been working with software engineering for the past 10 years. I worked most of my career with tailor-made software, so I have experience with a variety of programming languages and tools, and I’m always excited to learn new technologies. On web development, I started on the glory days of jQuery and since then I’ve followed the transformation of the internet to what we have today. I joined Nect about two?years ago to work on its frontend applications.? Today I will talk about the challenges of developing secure frontend applications nowadays.?

What is frontend development??

Frontend development is the process of creating the "front end" of a website or web-based application that runs on the user’s browser, i.e., everything that the user actually sees and interacts with. The purpose of frontend development is to turn the static design of a website into a working, interactive experience for the user.?

During the development of a website, developers can choose to do it in many different ways. They can do everything from scratch which takes a lot of time and could expose their application to basic security flaws. Or they could choose to use the modern ecosystem with frameworks that provides several benefits including faster development time and built-in security features that help protect the website from common attacks.?

New technologies new challenges?

With the rise of popularity of websites and the migration of many applications to the browser, the web is becoming more and more attractive for attackers to target. There is a constant flow of new vulnerabilities being discovered every day and modern browsers are patching these issues in no time. With all the new security features which were added over time, we can say the internet now is safer than ever.?

While developing a website the programmers will have to use a lot of open-source tools and frameworks. Open-source software is mostly developed in a collaborative manner, with developers sharing their code and working together to improve it.??

In the frontend development environment, open-source software is often used as a dependency on another forming a giant chain of dependencies. The developers behind these dependencies can vary from small independent programmers to big corporations. So even when using big projects like Vue.js trust is given to all the developers behind that chain.??

Many companies and developers make use of these dependencies without realising that it’s a potential attack vector. One malicious developer could create a useful dependency to build trust and spread its use across multiple projects to later release an “update” to finally contain a malicious code. Another possibility is an attacker hijack the credentials of a trusted contributor and use to inject malware into their code. So, when using this kind of software we need to be aware of the possible vulnerabilities and make sure to have a good process to mitigate the risks.?

How to mitigate the risk??

Here at Nect, we take security very seriously, we will do everything in our power to reduce the risk as much as possible. Hence, we have taken the necessary steps to ensure that our applications cannot be hacked and that every software dependency is verified.?

The risk scales with the number of dependencies used. Considering that, even if it costs us more time to develop a feature from scratch for our applications we choose to do so because the risk is not worth it. We use only a very few dependencies reducing the risk of being exposed to this kind of vulnerability.?

For the very few used by us, we do an assessment before using it considering some criteria. First, we check the pros and cons of developing it in-house. We also check the reputation of the developers behind the project and if the project is actively in development. After in use we constantly check for vulnerabilities and keep it up to date with the latest versions.?

?This assessment, combined with the limited use of external software, allows us at Nect to maintain a high level of security and give our users the confidence they need to use our technology.?