Arxan Introduces Industry-First In-App Firewall to Protect APIs and Prevent Browser Data Exfiltration

SAN FRANCISCO, Sept. 18, 2019 /PRNewswire/ -- Arxan Technologies, the trusted provider of application protection solutions, today announced enhancements to its web application protection solution to combat data exfiltration from the rampant threat of browser-centric attacks. The company is releasing major innovations for its Arxan for Web product that enhance protection against malicious browser extensions, banking trojans, malvertisements and other attacks that result in consumer data being exfiltrated directly from web apps to fraudulent web sites — all to be used in secondary, follow-on fraud or theft.

In order to adopt modern application architectures, organizations increasingly rely on APIs to drive innovation, speed of development, and provide new monetization opportunities. But, according to OWASP's new API Security Top 10 2019 report, "By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, APIs have increasingly become a target for attackers¹."  Exposing APIs and moving business logic to the client-side of applications, outside the protection of traditional network security, creates a massive new attack surface. This increases the risk for formjacking, DOM tampering, session abuse, overlay attacks, API abuse, and more.

Arxan for Web now includes the industry's first in-app firewall to ensure web applications running in the browser only connect to approved servers and API endpoints. One of the key data exfiltration techniques used in formjacking attacks, a common approach used by the Magecart threat groups, is to create a website to receive customer data from the browser without the customer's or organization's knowledge. Arxan's in-app firewall prevents web applications from connecting to unauthorized servers, which would expose sensitive customer or financial data. Additionally, a new domain lock feature detects if an app is running in the wrong domain, for example, inside an iFrame in a different web app in an attempt to trick an app or user into revealing sensitive data. Triggering the domain lock will engage automatic defensive measures and immediately alert the organization to the threat.

"Web applications — and their APIs — are highly vulnerable, as they rely on code running in a browser that is not protected, leaving organizations defenseless and blind to increasingly common threats. Our mission is to help secure organizations as the threat landscape and app development trends shift, providing solutions that address the source of threats," says Rusty Carter, VP of Product Management at Arxan. "Arxan for Web enables organizations to protect their web applications, web properties, and APIs against all three data exfiltration phases – reconnaissance, weaponization, and exploitation –  providing critical visibility into attacks targeting the client-side of the application and preventing harm to the organization."   

The threat of Magecart groups is alarming, particularly for organizations that rely on eCommerce revenue to drive business growth. According to Symantec, more than 4,800 websites are compromised by formjacking every month². But client-side data exfiltration attacks are just one of the threat vectors web applications face, which is why a layered security approach is so important.

"The potential global financial impact from fraud resulting from Magecart and other attacks targeting web applications and APIs can not be understated. Where traditional Web Application Firewalls (WAFs) can only control and inspect traffic to the datacenter, Arxan protects applications from the endpoint to the server and back-end systems," says Carter. 

To learn more about protecting APIs against web and mobile breaches, register for our webinar featuring special guest Forrester: http://bit.ly/APIprotectionwebinar

About Arxan Technologies 
Arxan, a global trusted leader providing the industry's most comprehensive application protection solutions, works with organizations looking to protect applications and to securely deploy and manage business-critical apps to the extended enterprise. Arxan currently protects more than one billion application instances across many industries including financial services, mobile payments, medical devices, automotive, gaming, and entertainment. Unlike legacy security solutions that rely on perimeter-based barriers to keep bad actors out or that require device management controls, Arxan products protect at the application-level from the inside out. This approach protects the source and binary code to expand the corporate perimeter of trust to the new endpoint – the application. Arxan provides a broad range of patented security capabilities such as a dynamic app policy engine, code hardening, obfuscation, white-box cryptography and encryption, threat analytics and rapid app protection deployment designed for DevOps processes. Founded in 2001, Arxan is headquartered in North America with global offices in EMEA and APAC.  For more information, please visit our website or follow us on Twitter.    

¹ https://www.owasp.org/index.php/OWASP_API_Security_Project 
² https://www.symantec.com/blogs/feature-stories/istr-2019-cyber-skimming-payment-card-data-hits-big-time 

SOURCE Arxan Technologies

Related Links

https://www.arxan.com