SquareX delivered a groundbreaking presentation at DEF CON 32, univocally proving that Secure Web Gateways (SWGs) are broken beyond repair. Presented by SquareX founder Vivek Ramachandran and the research team, the talk exposed over 30 bypass techniques that highlight core architectural vulnerabilities in SWGs, challenging the effectiveness and relevance of a technology that has been trusted for over two decades.
Also Read:Â CIO Influence Interview with Kendra DeKeyrel, Vice President of ESG and Asset Management at IBM
To demonstrate the ease with which SWGs can be bypassed, SquareX introduced browser.security, a website designed to allow anyone—including SWG vendors—to test their products. The framework’s release has already garnered much attention, with thousands of requests logged through SWG solutions from top SASE/SSE vendors, potentially indicating that both customers and vendors are scrutinizing their products for vulnerabilities.
Audience reactions to the talk were overwhelmingly positive. One attendee, representing a security team, commented, “We are very surprised to see how easy it is to deliver malware to the endpoints by bypassing SWGs.” Another added, “It’s surprising that SWG vendors have not acknowledged these issues in their public documentation.”
Many are unaware of how much browsers have evolved into complex systems that resemble standalone operating systems. SWGs are becoming obsolete in monitoring and securing the browser. These revelations sparked widespread discussion on social media and across industry platforms, highlighting the need for a new approach to web security. A CISO from a Fortune 500 enterprise commented on one of the threads, stating, “It’s evident that the only way to protect users is to build security solutions natively within the browser.”
Also Read:Â The Dynamic Duo: How CMOs and CIOs Are Shaping the Future of Business
Vivek Ramachandran, Founder & CEO of SquareX, emphasized this point, “Attackers are targeting employees of organizations while they are online, and the old guard SWGs are failing to detect and block new-age client-side web threats due to their antiquated architecture. In our view, the only way to detect and block these complex attacks is to have access to DOM changes, browser events, user interactivity etc., as input to detection algorithms, and the only way to do this is to have a browser-native product. This is exactly what SquareX is building.”
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
