The Current State of Web Browsing is Wreaking Havoc on Cybersecurity

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Dor Zvi of Red Access examines how the current state of web browsing is wreaking havoc on the world of cybersecurity.

In just a few short years, web browsing has gone from something done primarily in our free time, to the primary activity underpinning all of our work. But, with this newfound has also come a great deal of unwanted attention. As web browsing plays an increasingly central role in the day-to-day operations of the enterprise, it simultaneously becomes a more and more attractive target to malicious actors.

But, web browsing is changing in more ways than one, and already over-extended enterprise security teams are scrambling to keep up. In order to face this mounting challenge, organizations must begin by reimagining the idea of web browsing altogether —  including how it is defined, where it takes place and what strategies are needed to secure it.

The Current State of Web Browsing is Wreaking Havoc on Cybersecurity

Why We Web Browse, Then and Now

It wasn’t long ago that web browsing served primarily as a leisure-time activity. Back then, we might open Internet Explorer or Netscape Navigator with any number of different goals in mind  — entertainment, exploration, discovery, distraction — but rarely for the purposes of productivity. And especially not in the workplace. In fact, in those days, being spotted with a browser window open at work was often seen as a sign of slacking off — and not without reason. That’s because, back then, work didn’t happen on the web. It happened largely offline — within our own local operating environments, most often in desktop applications like Word, Powerpoint and Excel. Even email, the hallmark of digital connectivity, was accessed almost exclusively via desktop clients like MS Outlook and Apple Mail.

Today, however, all this couldn’t be further from the truth. For many knowledge workers — and especially those working hybrid or remotely — not having a web browser open at work is tantamount to not working at all. Today, web browsing underpins virtually everything we do at work, playing a role that’s more akin to an operating system than merely another application. For many of us, web browsers have become our sole gateway to the digital world; and as a result, our sole gateway to work. With the rise of web-based productivity suites like Google Workspace, the average knowledge worker can now spend the entirety of their workday without ever leaving a web browser. And, increasingly, many of them do exactly that. In fact, as far back as 2018, employees were already spending roughly a third of their workday using a web browser. Ultimately, this isn’t a surprise, considering the ability to check email, write reports, chat with coworkers, schedule meetings — and just about any other job function — is all just a URL away.

Browsers’ Increasing Complexity Complicates Security Efforts

Web browsing’s new, central role in the workplace has both fueled and been fueled by a decades-long run of innovations and advances in the category’s capabilities. Catalyzed by the first “browser wars” of the mid-90s, and again in the early-to-mid-aughts, web browsers went from relatively simple tools to extremely complex, feature-rich platforms capable of far more than the average user realized they ever wanted or needed. Nowadays, web browsers are infamous for being some of the largest, most resource-intensive programs regularly run by average users — gobbling up RAM, taxing CPUs and draining batteries more and more quickly with each update.

This ballooning complexity comes with an even greater cost that’s often overlooked, and that’s to security. Collectively, web browsers are now responsible for well over 8,000 CVEs, and for Chrome specifically, 2022 ranked as its worst year ever for zero-days exploited in the wild. The problem has gotten so widespread that in March of last year, Google’s Chrome Security Team released a statement addressing the uptick and outlining what they intend to do to combat it. In the piece, they offered several explanations for the sudden rise in CVEs, including the simple fact of the software’s complexity.  “..there’s simply the fact that software has bugs,” the statement reads. “Some fraction of those bugs are exploitable. Browsers increasingly mirror the complexity of operating systems — providing access to your peripherals, filesystem, 3D rendering, GPUs — and more complexity means more bugs.”

Although Chrome has been disproportionately affected by this rise in vulnerabilities, it’s almost certainly a byproduct of its relative popularity (having roughly 60 percent of the market share), rather than it being uniquely more prone to bugs. Indeed, the overall trend of complexity-driven vulnerability is common across the web browsing landscape.

The Borders of Web Browsing are Getting Blurry

The web browsing arms race means we can now do a lot more inside a browser than ever before. However, just because so many tasks can be done inside a web browser today doesn’t mean they always necessarily are. There is still a place in this world for desktop applications, and there are users who will defend them vehemently, even when web app versions of the software are already available. For some, it’s simply a force of habit — this is the way they’ve always done things, and they have little to no interest in changing that. For others, it is a more practical consideration, in which certain desktop applications (especially resource-intensive ones) offer superior performance and/or expanded functionality than their web app counterparts. And, of course, there are still plenty of widely used enterprise applications for which web app alternatives simply do not exist.

The once unmistakable line separating desktop applications from the web has recently begun to blur. Capabilities once reserved exclusively for dedicated web browsers (e.g. Chrome, Firefox) are increasingly showing up in other types of applications, blurring the lines between what is and isn’t web browsing and where it does and doesn’t take place. The first and most obvious example of this trend can be seen in the rise of “in-app browsing”. Most prominently found in social media apps like Facebook and LinkedIn, “in-app browsers” are software components like WebView that let users open and navigate web pages inside the app they are presently using (as opposed to launching the page in a traditional, dedicated web browser). Increasingly, researchers are finding that in-app browsers come with a wide variety of security and privacy risks.

However, they are far from the only avenues through which the act of web browsing has begun to extend beyond the boundaries of traditional web browsers. In a sense, any application that enables web access in some way, shape or form is moving the act of web browsing outside the purview of the web browser itself. Whether it be accessing remote files, following hyperlinks, engaging in chat, or viewing web pages, whenever a user initiates a web connection outside the confines of a traditional browser, they’re redefining what it means to browse the web, and redrawing the traditional borders established around it. And there is no shortage of enterprise applications that fit this bill.

Regardless of where the web browsing capabilities are being employed, as soon as a user clicks on a link or opens a remote file within a desktop application, they set in motion web connections that operate independently from the web browser. These connections are exposed to risks like data loss, harmful files, and various other online threats. This not only adds complexity to the conventional understanding of browsing-related vulnerabilities but also highlights a significant gap in the capabilities of many present-day secure browsing solutions.

The Security Implications of Web Browsing’s About Face

There’s perhaps no better illustration of web browsing’s former role in digital society than the now-extinct expression of “surfing the web”. Web browsing used to be a laid back, directionless endeavor motivated by a desire for discovery and entertainment. Now, web browsing is much more akin to running on a treadmill (or a hamster wheel) than it is catching waves at the beach.

In the end, we spend more time doing more things with much higher stakes with modern web browsing. The rise in remote work that has taken place over the past three years has only kicked that trend into overdrive. As a result of these factors, browsing-based threats now constitute CISOs’ number one security concern, and with good reason. With their newfound central role in the workplace and mounting list of capabilities, web browsers have become poorly guarded treasure troves of sensitive data and unauthorized access.

But, hope remains. A vibrant ecosystem of secure browsing technologies has begun to take shape over the past few years. Although this field is still relatively young, it is quickly crowding with competitors, which we can hope will provide the kind of consistent innovation, intelligence and drive we need to successfully navigate the changing face of browsing security.