Pedro Fortuna, co-founder and CTO of Jscrambler, discusses the company’s approach to digital transformation and how its obfuscation tool is faring against generative AI.
Pedro Fortuna is chief technology officer (CTO) and co-founder of Jscrambler, an IT services company known for developing a JavaScript obfuscator, a tool that changes code in order to make it more difficult to understand, thus making it more difficult to reverse-engineer.
Fortuna has more than 15 years of experience in the web application security industry. In his current role at Jscrambler, he leads the company’s product innovation strategy, research and engineering teams.
With a background in computer engineering, an MSc in computer networks and services, and a stint teaching security and computer science courses, Fortuna says he initially envisioned a career in teaching.
“However, the allure of entrepreneurship led me to co-found Jscrambler.”
As well has his role at Jscrambler, he regularly speaks at international security conferences and is the co-founder of OWASP (Open Worldwide Application Security Project) Lisbon. He has authored several patents in application security.
‘Client-side security is one of the most important security challenges in our field’
What are some of the biggest challenges you’re facing in the current IT landscape and how are you addressing them?
The macroeconomic climate is one of the biggest challenges right now. Studies have found that economic instability often breeds a surge in cybercriminal activities. And not only is there an increased level of cyberthreat, but organisations are also likely to have less budget for security as they tighten their belts.
I think we’re also seeing the knock-on effect of the Covid-19 pandemic even after a few years. The cybercriminal community quickly seized new opportunities to exploit the pivot to remote working and increased reliance on the cloud. Many businesses still have to adapt to this new status quo.
What are your thoughts on digital transformation in a broad sense within your industry?
Digital transformation brings many security challenges and not every company is aware of what it takes to protect their developing infrastructure. The bigger the company is, the more difficult it is to manage transformation projects securely. Embracing security standards like ISO 27001 or SOC2 can help, because they give you an industry-vetted way of protecting yourself against new security risks. Right now, we are wrapping up a PCI-DSS [Payment Card Industry Data Security Standard] v4 compliance program. We’ll continue down that path and look into other standards that make sense for us.
Sustainability has become a key objective for businesses in recent years. What are your thoughts on how this can be addressed from an IT perspective?
The amount of data that the world generates on a daily basis is crazy. And the more data we decide to store, the more energy we need to spend in storing and processing that data. The more data you have, the more you need to keep secure, so it also presents a security problem. So, generically, I believe the first step towards sustainability is figuring out what we really need to store, and for how long, and make sure that we scrap what we don’t need. Adopting well-oiled cloud services is step number two.
What big tech trends do you believe are changing the world and your industry specifically?
It’s impossible to ignore the influence of LLM [large language model] AI tools like ChatGPT right now. As well as looking at the opportunities, it’s important to remember threat actors can also take advantage of these tools. For example, ChatGPT-4 has proven to be very good at assisting with coding, which means it could also be potentially misused to assist with cyberattacks.
We have, for example, run some tests to see if ChatGPT-4 could potentially undo the code obfuscation we put in place to protect JavaScript. We’ve completely defeated the AI tool so far, and it was totally unable to see through our obfuscation. We’ll be keeping a close eye on the technology as it continues to develop.
‘The more data we decide to store, the more energy we need to spend in storing and processing that data’
More specific to our field, we’re very invested in the forthcoming v4 update to PCI DSS, which was introduced last year and will come into effect in March 2024. The standard is mandatory for all merchants and payment service providers that process or store card payment data, so it’s extremely influential on the state of security in e-commerce. Among other things, the new version introduces some important new requirements around checking and securing third-party JavaScript, so it’s an important area for us.
What are your thoughts on how we can address the security challenges currently facing your industry?
Client-side security is one of the most important security challenges in our field. Most modern websites have a convoluted collection of third-party code, which is hard to manage and greatly expands the attack surface. Getting proper client-side visibility has always been hard, exposing sensitive data like payment information and other PII [personal identifiable information].
In fact, it’s the core challenge Jscrambler was founded to help solve, and it’s still a leading issue today. Exploiting third-party assets is central to web-skimming attacks, one of the most common threats targeting e-commerce sites. Our platform provides multiple layers of defence against client-side threats, including code obfuscation, threat monitoring and controlling third-party scripts. Considering the number of e-commerce vendors we’ve seen being stung by web skimming this year, there’s plenty more work to do in this field yet.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.