URL has been copied successfully!
The Security Gap JPMorgan Chase’s CISO Didn’t Mention”Š”, “ŠAnd Why It’s in Your Browser
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

The Security Gap JPMorgan Chase’s CISO Didn’t Mention”Š”, “ŠAnd Why It’s in Your Browser


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

The Security Gap JPMorgan Chase’s CISO Didn’t Mention”Š”, “ŠAnd Why It’s in Your Browser

When the CISO of JPMorgan Chase issues a public letter to all technology vendors, the industry pays attention”Š”, “Šand rightfully so. In his open letter, Rohan Amin lays out a firm, urgent call: prioritize secure-by-design practices, patch faster, and take full accountability for your software supply chain. And last week, in the midst of RSAC Conference, there was definitely buzz on the ground about the letter. To me, it was a public signal that large enterprises should no longer tolerate avoidable vulnerabilities”Š”, “Šand that too many of them are introduced through third-party vendors. Regulatory pressure, market expectations, and operational resilience all demand better. But while the letter hit on several vital dimensions of software security, I couldn’t help but notice that it overlooked one of the fastest-growing attack surfaces in the modern enterprise: the browser.

Illustration of a business person in a suit using a browser on a laptop to review financial data. The browser has the SquareX icon in the top right.

Browsers: The New Frontline of Enterprise Work and Risk

Today, nearly every business-critical task”Š”, “Šfrom accessing internal tools to using SaaS apps and collaborating with contractors”Š”, “Šhappens inside a browser. Google Workspace, Microsoft 365, Salesforce, Workday, Adobe, GitHub”¦the list goes on. Yet despite this shift, most enterprises: Don’t inventory browser extensions Don’t have visibility into SaaS use from the browser (shadow SaaS) Don’t monitor user behavior in the browser on unmanaged or lightly managed endpoints And more importantly, most enterprises don’t often think of browsers as a third-party application”Š”, “Šat least not the way they do with other SaaS applications. Furthermore, use of open-source Chromium variant browsers, like Vivaldi and Arc, only increases an enterprise’s supply chain risk. This creates a massive blind spot. The browser is no longer just a window into the internet”Š”, “Šit’s the main gateway through which employees access third-party apps daily. And that makes it an extension of your software supply chain.

What JPMorgan’s CISO Got Right”Š”, “Šand What Was Missed

Rohan Amin’s letter makes important demands: Accelerate patch cycles Eliminate default credentials and outdated libraries Design for security up front Be transparent about vulnerabilities and remediation timelines Take third-party software risk seriously These are all essential”Š”, “Šand most security teams would agree. But the browser sits unmentioned and is often forgotten in third-party risk assessments. And that’s a mistake.

Why?

Because browsers are: Full-fledged application platforms”Š”, “Šrunning extensions, scripts, and even unauthorized SaaS tools Privileged interfaces”Š”, “Šused to authenticate, store cookies/tokens, and transfer sensitive data across enterprise SaaS applications Entry points for phishing, session hijacking, and insider risk Totally unmanaged in many BYOD and contractor scenarios Gartner agrees. In the recent report, Innovation Insight: Secure Enterprise Browsers, Gartner notes, “Established hybrid work patterns, increased use of lightly managed and unmanaged end user devices and BYOPC in the modern workplace, and increased SaaS adoption have led to more work being done through web browsers.” Why is this a problem? According to Gartner, that’s because “[threat] actors frequently target employees with phishing attacks to steal credentials and bypass endpoint detection and response controls, necessitating an additional layer of visibility and control within the web browser.” This is only complicated further with the fact that most “organizations already have two or more browsers (Google Chrome, Microsoft Edge, Apple Safari) and are not fully managing these today. IT’s desire to add another browser due to increased management overhead is low” (Gartner, Innovation Insight: Secure Enterprise Browsers, April 2025). In other words, everything the CISO’s letter warns about is already playing out inside the browser.

Browsers Are Not in Your Third-Party Risk Program”Š”, “ŠYet They Should Be

Let’s ask a simple question: When was the last time your security or risk team reviewed the browser extensions used across your workforce? Or: Audited user behavior of contractors in browsers on personal devices? Inspected shadow SaaS usage from browser sessions? Monitored web app file uploads to unapproved destinations? Chances are, these aren’t included in your vendor risk assessment, SBOM processes, or internal GRC controls. That’s a problem. Because browsers: Load third-party code (via extensions or scripts) that can exfiltrate data Enable shadow SaaS use and extensions that bypass managed app policies Offer fertile ground for credential theft and lateral movement The browser itself is a software platform. Like any software, it should be controlled, monitored, and included in risk modeling.

How Browser Security (Browser Detection and Response and Secure Enterprise Browsers) Closes This Risk Gap

This is where solutions like Browser Detection and Response (BDR) and Secure Enterprise Browsers (SEBs) come into play. They bring enterprise-grade visibility and control to a layer that’s been ignored for too long. Key capabilities should include: ✅ Extension control and risk profiling”Š”, “ŠKnow what’s installed and block risky plugins
✅ Identity & access management”Š”, “ŠPrevent unsanctioned SaaS logins
✅ Secure access to internal apps”Š”, “ŠEnsure that users only access the apps they need, even on BYOD or unmanaged devices
✅ Browser-based DLP”Š”, “ŠStop data exfiltration and insider threats by blocking uploads or copy/paste
✅ Shadow SaaS visibility”Š”, “ŠDetect usage of unauthorized apps, even on BYOD
✅ Phishing and session protection”Š”, “ŠBlock advanced phishing attacks, credential harvesting and lateral movement
✅ Detailed session audit trails”Š”, “ŠSupport threat hunting, incident investigations, and compliance mandates

Fulfilling Your CISO Mandate”Š”, “ŠWithout Blind Spots

CISOs everywhere are feeling the pressure. Regulations like NIS2, DORA, and the SEC’s new cyber disclosure rules demand more transparency, more board-level accountability, and faster detection and response capabilities. Security leaders must go beyond infrastructure and cloud tooling”Š”, “Šand take control of the layers where users and data intersect every day. That means: Including browsers and extensions in software asset inventories Auditing SaaS usage, including shadow SaaS Controlling what happens in unmanaged browser sessions on BYOD and contractor devices Using BDR or secure browser technologies to provide an enforceable policy perimeter

Secure the Layer Everyone Uses”Š”, “ŠBut No One Is Watching

The JPMorgan CISO’s letter set a high bar. But if organizations respond only by tightening cloud APIs or endpoint agents, they’ll still be missing the most active, high-risk execution environment in their enterprise: the browser. If you’re not monitoring and securing browser behavior, you’re flying blind”Š”, “Šwhile attackers increasingly target that very space. Let’s fix that.

Next Steps

📘 Download our white paper: “Browser Detection & Response (BDR)” 💬 Book a discovery session to explore how SquareX helps secure browser activity in real time”Š”, “Ševen on unmanaged endpoints.

Learn More: Real-World Threats in the Browser

Browser security risks are no longer theoretical. SquareX has uncovered dozens of attacks, including: Cyberhaven’s OAuth Identity Attack”Š”, “Šdetails a widespread campaign targeting Chrome extension developers and how it happened. Browser-Native Ransomware”Š”, “Ša novel class of ransomware that fully executes in the browser without involving any local files and processes, bypassing traditional anti-ransomware solutions. Polymorphic Browser Extensions”Š”, “Šmalicious add-ons that can disable and impersonate installed legitimate extensions such as password managers and crypto wallets and evade static analysis tools, making them ideal for persistent, stealthy access. These aren’t edge cases”Š”, “Šthey’re active examples of how attackers are exploiting browser-layer weaknesses today.

The Security Gap JPMorgan Chase’s CISO Didn’t Mention”Š”, “ŠAnd Why It’s in Your Browser was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

First seen on securityboulevard.com

Jump to article: securityboulevard.com/2025/05/the-security-gap-jpmorgan-chases-ciso-didnt-mention-and-why-its-in-your-browser/

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link

also interesting:

  1. 25 on 2025: APAC security thought leaders share their predictions and aspirations
  2. Cybersecurity Snapshot: Study Raises Open Source Security Red Flags, as Cyber Agencies Offer Prevention Tips Against Telecom Spying Attacks
  3. Cybersecurity Snapshot: Tenable Highlights Risks of AI Use in the Cloud, as UK’s NCSC Offers Tips for Post-Quantum Cryptography Adoption
  4. Cybersecurity Snapshot: CISA’s Best Cyber Advice on Securing Cloud, OT, Apps and More