This article takes an honest look at the features of Feroot.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product page.
| c/side | Feroot | |
|---|---|---|
| Doesn't solely rely on CSP policies | ✔️ | ✔️ |
| Doesn't cause console errors | ✔️ | |
| Client side JS script detection | ✔️ | ✔️ |
| Uses threat feed intel | ✔️ | ✔️ |
| Monitors Who-is records | ✔️ | |
| Monitors SSL | ✔️ | |
| Able to detect inline scripts | ✔️ | ✔️ |
| Uses AI and ML to analyse scripts | ✔️ | ✔️ |
| Creates allow lists for scripts | ✔️ | ✔️ |
| Block scripts before entering the user's browser | ✔️ | |
| Proxies scripts | ✔️ | |
| Stores script content for future review | ✔️ | ✔️ |
| Tracks historical changes in scripts | ✔️ | ✔️ |
| Performance enhances scripts | ✔️ | |
| Paid tier starts at | $99 per month | Unknown |
What Feroot does well
Similar to c/side, Feroot was specifically founded to create a client-side security solution. This goes to show the urgent need for innovation in this space which we can only support.
And they’ve delivered by not solely relying on known, but less effective, approaches like Content Security Policy and threat feeds. Instead opting for a JavaScript-based and crawler approach. This layering is key to building a successful client-side security solution.
Their product pages are well laid out and have a lot of detailed information. It shows clearly how they set up both their mechanisms and their continuation of innovating their product.
Additionally they have a broad range of integrations which should make adopting Feroot and their alerts as easy as possible.
What Feroot could do better
Feroot’s offering appears to be split into two products: “PageGuard” and “Inspector”.
Their PageGuard page reads:
“PageGuard deploys security permissions and policies to JavaScript-based web applications to continuously protect them from malicious client-side activities, malware, and third-party scripts.”
And:
“PageGuard overwrites certain main and core JavaScript code to protect your web application from client-side cyber threats.”
It’s clear they largely follow the same approach as most of our competitors. They use permissions and a form on an allow-list where you pre-approve which scripts are allowed to run on which pages. This requires a new JavaScript file for every update which could create performance bottlenecks and overhead for deployment.
Most importantly, it does not protect against 0-day attacks.
PageGuard detects and blocks scripts that are dynamically added to a webpage after the initial page load, hence no real-time blocking.Though they go a step further than most, and that should receive credit. “PageGuard” in general keeps track of all JavaScript events on pages and also of the date and time when a script is being loaded in the browser, similar to c/side.
Their “Inspector”, deploys synthetic users disguised as honeypot customers, to simulate real user behavior. Inspector’s synthetic users are able to complete real user tasks and are able to identify malicious scripts and unauthorized actions on JavaScript web assets.
This is effectively a crawler that does (likely periodic) check on pages. A crawler can somewhat easily be avoided since JavaScript is dynamic. Based on various parameters, it serves different versions of the script. The versatility of the crawler will eventually be what matters. But also this does not protect against 0-day attacks.
Pricing does not seem to be public at this time, though we have heard their pricing starts at $5,000 per year. Find our pricing here.
Our conclusion
Feroot offers more than most competitors, though believe our proxy approach provides the best possibility of stopping 0-day attacks. It allows us to spot and analyze the script in real-time, and block the malicious ones before it reaches the browser of the user.
It should be noted that Feroot does cover everything that’s needed for PCI DSS 6.4.3 and 11.6.1 requirements. It’s up to you to decide if the level of protection lives up to your expectations.
We’ve laid out our thoughts on Feroot and how we compare. We’d love to chat if you have any questions or concerns.