SquareX exposes SWG flaws at DEF CON, urges browser security

SquareX has revealed significant vulnerabilities in Secure Web Gateways (SWGs) during a presentation at DEF CON 32, calling into question the reliability of a technology widely used for over two decades.

Vivek Ramachandran, the founder of SquareX, along with his research team, demonstrated more than 30 techniques to bypass SWGs, exposing core architectural flaws.

Ramachandran and his team introduced a new framework, browser.security, designed to allow enterprises and SWG vendors to test their products for vulnerabilities. The framework has already attracted considerable attention, with numerous requests from SASE/SSE vendors. This could indicate that both customers and vendors are now scrutinising the security of their products more closely.

One security team member from the audience shared their concerns, saying, “We are very surprised to see how easy it is to deliver malware to the endpoints by bypassing SWGs.” Another attendee remarked, “It’s surprising that SWG vendors have not acknowledged these issues in their public documentation.” These reactions encapsulate the broader industry surprise regarding the revelations.

The reveal highlighted that advancements in browser technology have rendered traditional SWGs obsolete. Browsers are now complex systems akin to standalone operating systems, thus challenging SWGs' efficacy in monitoring and securing browsers effectively. This has sparked extensive discussion on social media and industry platforms. A Chief Information Security Officer (CISO) from a Fortune 500 company commented, “It’s evident that the only way to protect users is to build security solutions natively within the browser.”

SquareX’s Ramachandran underscored the limitations of current SWGs, stating, “Attackers are targeting employees of organisations while they are online, and the old guard SWGs are failing to detect and block new-age client-side web threats due to their antiquated architecture.” He elaborated, “The only way to detect and block these complex attacks is to have access to DOM changes, browser events, user interactivity etc., as input to detection algorithms, and the only way to do this is to have a browser-native product. This is exactly what SquareX is building.”

The SASE/SSE market, encompassing SWGs, is currently estimated to surpass USD $45 billion and is projected to reach USD $80 billion in the coming years. SWG vendors often claim to prevent all known malware and viruses from passing through their web proxies. However, SquareX’s presentation has cast significant doubt on these assertions, presenting a substantial challenge to the technology's perceived effectiveness.

SquareX has invited enterprises worried about the integrity of their SWG solutions to engage directly with the company. Using the browser.security platform, businesses can independently verify the security posture of their SWGs and address potential vulnerabilities exposed by the revealed bypass techniques.

The presentation at DEF CON 32 has set a new precedent for web security, urging enterprises to reconsider their reliance on conventional SWGs and explore more integrated, browser-native security solutions. SquareX’s approach aims to safeguard enterprise users from a wide array of web-based threats more effectively by leveraging the inherent capabilities of modern browsers.