Ivan Tsarynny, Feroot: “there is little emphasis on protecting potential pathways on the client-side for attackers”

When the COVID-19 pandemic pushed many businesses into the digital space, many appeared to be unprepared for the threats that lurk in the cyberworld.

While organizations are increasingly learning the value of cybersecurity measures to protect their brand and finances, not many of them think about the threats on the client side.

Although some individuals can protect themselves from hackers with such products as first-rate antivirus software, businesses should also protect their customers and make use of such services as JavaScript security monitoring.

To discuss such solutions, we invited Ivan Tsarynny, the CEO and Co-Founder of Feroot, a company that is creating risk-free and secure client-side experiences for organizations with its JavaScript security monitoring products.

Tell us a little bit about what you do. How did the idea of Feroot originate?

Co-Founder and CTO Vitaliy Lim and I are both problem solvers at heart. With our entrepreneurial spirits combined with our technology backgrounds, we recognized that so much focus was being placed on securing what’s inside a business, that there was a gigantic and vulnerable gap on the client side of security—the web pages and web apps used to interact with visitors and customers. For example, cybercriminals can modify or add malware to online purchasing forms or other information-gathering online forms to steal data and ultimately much more. There has been very little emphasis on protecting this potential pathway for attackers. Feroot was founded in order to change that. Our solutions arm organizations with the protection they need to know they are using client-side assets securely and safely.

Can you tell us a little bit about what you do? What are the main issues your products help solve?

Our solutions, Inspector and PageGuard, are designed for organizations that depend on web applications or web pages to run their business. Inspector continuously scans and reports on JavaScript web application vulnerabilities and attacks. PageGuard deploys JavaScript security permissions to ensure data exfiltration attacks are a thing of the past. Our automated client-side security solutions allow our customers to focus on their core business rather than dealing with a client-side attack or vulnerability. Our clients are discerning organizations that care about their customer data, their company data, and the reputations of all stakeholders.

In your opinion, which industries should be especially attentive to implementing JavaScript security?

If you think about how many times a consumer or business conducts financial, healthcare, or retail transactions online, it’s a huge, huge number. Oftentimes, super sensitive information is shared—information that’s ultra valuable on the dark web. Those client-side assets that make all of that possible must be protected. Otherwise, countless organizations, such as banks, retailers, airlines, hospitals, media companies, cryptocurrency exchanges, technology companies, and others, will potentially leave gaping security holes.

Do you think the pandemic altered the ways in which threat actors operate?

The pandemic has clearly opened additional pathways for cybercriminals but not necessarily new types of pathways. Client-side threats already existed, but yes, more people and organizations are relying on the web to conduct their business, purchase products and services, and live their day-to-day lives. The threats were already there, they’re just accentuated by the shifts we saw in a pandemic.We are seeing more and more threat actors shifting their tactics to the client-side on account of the ease of deploying successful attacks.

How do cybercriminals take advantage of unprotected JavaScript? What is the worst that can happen?

Money is what talks. Cybercriminals want to get their hands on personal information that can be sold on the dark web. They can attack, steal information, such as credit card data, and sell it for cryptocurrency. That cryptocurrency, based on its obvious anonymous nature, can fund any number of nefarious activities from small-scale attacks to nation-state efforts. In the end, one initial theft can enable more and more crime. Cybercriminals tend to visit open-source script repositories like GitHub. There, they deploy malware in a third-party script that businesses use to capture customer information. Every business that uses the malicious script is thereby infected by malware, and cybercriminals start to skim the data. The vast majority of organizations are not prepared to detect these attacks or stop them.

In your opinion, which industries are going to suffer from cyberattacks most often in the near future?

Very few are immune to potential cyberattacks. I believe the heightened international tensions that we are experiencing today place a whole host of industries at risk, from core supply chain operators and vendors to infrastructure and energy or finance and travel. When it comes to client-side attacks specifically, finance, insurance, e-commerce, SaaS, technology, blockchain, hospitality and media companies are going to feel the most pain.

What are the key practices companies should follow when developing web applications and websites?

Very clearly understanding what your client-side assets are, what they do, and why. Then, manage them effectively and be sure you’re secure—whether you built the scripts or not. Even commonly used scripts that millions relied upon can ultimately end up unsafe. Never assume anything is secure from the onset. You would be amazed at the number of third-party scripts that even the most seasoned cybersecurity specialist would have assumed was likely safe—and it turned out to be far from it. Also, remove any unnecessary or unused (zombie) scripts immediately. Test your web applications regularly and make sure they are secure.

Talking about average Internet users, what actions should everyone take to stay safe online?

Only work with reputable vendors that clearly prioritize cybersecurity. By protecting client-side assets, a company is prioritizing their most valuable asset—their customers. If you have any doubt if a website you are interacting with is secure or not, check the URL and see if it matches the vendor's true URL.

Share with us, what’s next for Feroot?

Feroot is always looking for ways to innovate, not only to further improve our solutions, but to add value by addressing problems that seem to have lacked the attention they deserved in the industry. That’s where we hang our hats. We have regular meetings with our customers during which we uncover additional use cases to cover and features to develop to enhance the value we provide to our customers. We have a robust roadmap and have some great product releases planned for 2022. Obviously we can’t let the cat out of the bag on those quite yet.