I’ve been debating this lately: should businesses disable JavaScript on their users’ systems? For that matter, should I disable JavaScript on my own systems and devices? I have colleagues and friends in the security field who have done so, and they seem to be quite happy (and relieved) about it.
Why disable JavaScript? The biggest reason is to guard against malicious code injection, especially cross-site scripting (XSS). The XSS problem is not really with JavaScript itself, but more so with web developers who don’t code with security in mind.
Despite widely publicized hacks going back over ten years, as well as clear direction on mitigating the vulnerabilities, XSS remains among the most widespread popular web application vulnerabilities for hackers to exploit. (It’s number three in the latest OWASP Top 10.) By embedding malicious JavaScript code in legitimate websites, hackers can steal sensitive data like your online banking credentials, as well as proliferate viruses and malware.
Besides guarding against cyber attacks, I can think of one more security/privacy reason to disable JavaScript: it will help prevent various tracker scripts from analyzing and recording your browsing behavior (like an “incognito window” on steroids). Websites can and frequently do use JavaScript to gather detailed information about your system. Most are legitimate, but it pays to be careful.
Popular browser extensions like NoScript and SafeScript can give you a balance of control and usability by letting you chose what scripts to block. A related benefit is that many sites will load faster without all that snooping happening in the background… not to mention the JavaScript-driven adware.
The downside of disabling JavaScript is that you’ll experience a degraded user experience on many websites. JavaScript is used by over 90% of websites, including many high-traffic sites, making it the most popular client-side technology by far.
I decided to try disabling JavaScript to see what the browsing experience is like. I must confess it’s quite aggravating. Many websites I visit require that I enable JavaScript, so the browsing experience isn’t exactly seamless. Whitelisting, blacklisting—is it really necessary? Multiplied by the number of users in even a small business, that could add up to a lot of lost productivity.
Whether or not you disable JavaScript on your own systems and devices is a personal choice. But as a security strategy for a business, I don’t think it’s appropriate in most cases.
An objective in ISO 27001 is to ensure that information and information processing facilities are protected against malware. Yes, disabling JavaScript on users’ systems is yet another control that can protect against malware. But you still need to put targeted anti-malware controls in place to guard against all the other attack vectors besides JavaScript. Having appropriate controls in place makes disabling JavaScript on users’ systems redundant from the standpoint of risk mitigation, and probably more trouble than it’s worth.
To start a conversation on how a comprehensive information security management system (ISMS) based on a comprehensive framework like ISO 27001, FedRAMP or NIST, contact Pivot Point Security.
The post JavaScript: To Be or Not to Be appeared first on Pivot Point Security.