SINGAPORE, Thursday, August 22, 2024 – SquareX delivered a groundbreaking presentation at DEF CON 32, univocally proving that Secure Web Gateways (SWGs) are broken beyond repair. Presented by SquareX founder Vivek Ramachandran and the research team, the talk exposed over 30 bypass techniques that highlight core architectural vulnerabilities in SWGs, challenging the effectiveness and relevance of a technology that has been trusted for over two decades.
To demonstrate the ease with which SWGs can be bypassed, SquareX introduced browser.security, a website designed to allow anyone—including SWG vendors—to test their products. The framework’s release has already garnered much attention, with thousands of requests logged through SWG solutions from top SASE/SSE vendors, potentially indicating that both customers and vendors are scrutinizing their products for vulnerabilities.
Audience reactions to the talk were overwhelmingly positive. One attendee, representing a security team, commented, “We are very surprised to see how easy it is to deliver malware to the endpoints by bypassing SWGs.” Another added, “It’s surprising that SWG vendors have not acknowledged these issues in their public documentation.”
Many are unaware of how much browsers have evolved into complex systems that resemble standalone operating systems. SWGs are becoming obsolete in monitoring and securing the browser. These revelations sparked widespread discussion on social media and across industry platforms, highlighting the need for a new approach to web security. A CISO from a Fortune 500 enterprise commented on one of the threads, stating, “It’s evident that the only way to protect users is to build security solutions natively within the browser.”
Vivek Ramachandran, Founder & CEO of SquareX, emphasized this point, “Attackers are targeting employees of organizations while they are online, and the old guard SWGs are failing to detect and block new-age client-side web threats due to their antiquated architecture. In our view, the only way to detect and block these complex attacks is to have access to DOM changes, browser events, user interactivity etc., as input to detection algorithms, and the only way to do this is to have a browser-native product. This is exactly what SquareX is building.”
SquareX invites enterprises concerned about the security of their SWG solutions to engage with the company directly. For more information or to request an assessment, visit sqrx.com or contact SquareX at founder@sqrx.com.
About SquareX:
SquareX helps organizations detect, mitigate and threat-hunt web attacks happening against their users in real time. With our innovative browser-native security product, SquareX safeguards enterprise users from a spectrum of web-based threats, encompassing malicious files, websites, scripts, and compromised networks.
For more information, visit http://www.sqrx.com
About Vivek Ramachandran:
Vivek Ramachandran is a security researcher, book author, speaker-trainer, and serial entrepreneur with over two decades of experience in offensive cybersecurity. He is currently the founder of SquareX, building a browser-native security product focused on detecting, mitigating, and threat-hunting web attacks against enterprise users and consumers. Prior to that, he was the founder of Pentester Academy (acquired in 2021), which has trained thousands of customers from government agencies, Fortune 500 companies, and enterprises from over 140+ countries. Before that, Vivek’s company built an 802.11ac monitoring product sold exclusively to defense agencies.
Vivek discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, and created Chellam (Wi-Fi Firewall), WiMonitor Enterprise (802.11ac monitoring), Chigula (Wi-Fi traffic analysis via SQL), Deceptacon (IoT Honeypots), among others. He is the author of multiple five-star-rated books in offensive cybersecurity, which have sold thousands of copies worldwide and have been translated into multiple languages.
He has been a speaker/trainer at top security conferences such as Blackhat USA, Europe and Abu Dhabi, DEFCON, Nullcon, Brucon, HITB, Hacktivity, and others. Vivek’s work in cybersecurity has been covered in Forbes, TechCrunch, and other popular media outlets.
In a past life, he was one of the programmers of the 802.1x protocol and Port Security in Cisco’s 6500 Catalyst series of switches. He was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He has also published multiple research papers in the field of DDoS, ARP Spoofing Detection, and Anomaly-based Intrusion Detection Systems. In 2021, he was awarded an honorary title of Regional Director of Cybersecurity by Microsoft for a period of three years, and in 2024 he joined the BlackHat Arsenal Review Board.