"Tech firms have an obligation to guarantee the integrity of their applications, but it seems that many are failing to do so, and risk compromising their users as they fall prey to client-side or browser hacks. An example is the GozNymin malware, a hybrid of two strains of known malware, targeted the business banking and credit unions sector and stole around $4 million from 24 US and Canadian banks in April 2016.
Surprisingly, many businesses are still unaware of this threat to their security, as Fortuna explains. “Traditionally, code protection meant storing as much code on the server as possible,” he says. “This kept your code safe from prying eyes and allowed the server to do the heavy lifting, performance-wise. Even today, storing your code on the server certainly offers the best protection, although with some disadvantages.
“One challenge involves forcing an Internet connection; if you’re developing an application you want to work offline, it is not feasible. Performance is another. Server calls take time. That’s not an issue for simple apps, but for high-performance apps like games, excessive latency can ruin the user experience. This raises concerns as more and more logic is being executed on the client-side where, due to the nature of the language, is very exposed to code tampering and code injections.”
Companies still focused on deploying server-side security mechanisms, like web application firewalls, are starting to realise that the threat model for web applications is changing.
“It's not enough to find security vulnerabilities and fix them,” says Ribeiro. “You need to ensure that your web application is as resilient as it can be against user-experience tampering, malware injection, data leakage, and IP and code theft.”
Until now, organisations have relied heavily on endpoint security solutions to protect the client side, paying little attention to the hidden dangers of hacks through the client side, yet solutions such as antivirus have a low success rate, believed to be around 40%.
“If you consider that an application encompasses both server and client side, and that the client side solution doesn’t necessarily have to be endpoint security, then you understand the thinking behind Jscrambler,” says Fortuna.
In 2014 Jscrambler raised $800,000 in seed funding from Portugal Ventures, a public VC and PE firm, and traction to date has been strong; Jscrambler has over 28,000 customers globally, including Fortune 500 companies, and a number of global brands.
The Jscrambler team is also growing, currently 20 strong, and the company, which has offices in Porto, Lisbon and San Francisco, is expanding its operations to the US, their primary market.
It is one of a growing number of startups flourishing in Portugal’s tech ecosystem, which was recently boosted when its capital Lisbon hosted the Web Summit. However, Ribeiro insists that Porto is the real scale-up city of Portugal, and also a leading European hub for innovation, startups and investments.
He says: “Jscrambler will continue to be a disruptive player, revolutionising the application security scene, and delivering a resilient solution for client-side security that companies and individuals can rely on. There are no excuses for ignoring the risks that are being taken when unprotected code is deployed or underestimate the importance of monitoring what is happening on the client side as we are witnessing on the expanding cyber-battlefield every day.”"
Contributed by Allison Coleman, Forbes contributor
Originally published on Forbes on February 13, 2017.