1. SAST Online
  2. Application Security News and Articles
  3. The Security Gap JPMorgan Chase’s CISO Didn’t Mention — And Why It’s in Your Browser
Authenticate your profile to see activity

The Security Gap JPMorgan Chase’s CISO Didn’t Mention — And Why It’s in Your Browser

The Security Gap JPMorgan Chase’s CISO Didn’t Mention — And Why It’s in Your Browser

When the CISO of JPMorgan Chase issues a public letter to all technology vendors, the industry pays attention — and rightfully so. In his open letter, Rohan Amin lays out a firm, urgent call: prioritize secure-by-design practices, patch faster, and take full accountability for your software supply chain. And last week, in the midst of RSAC Conference, there was definitely buzz on the ground about the letter.

To me, it was a public signal that large enterprises should no longer tolerate avoidable vulnerabilities — and that too many of them are introduced through third-party vendors. Regulatory pressure, market expectations, and operational resilience all demand better.

But while the letter hit on several vital dimensions of software security, I couldn’t help but notice that it overlooked one of the fastest-growing attack surfaces in the modern enterprise: the browser.

Illustration of a business person in a suit using a browser on a laptop to review financial data. The browser has the SquareX icon in the top right.

Browsers: The New Frontline of Enterprise Work and Risk

Today, nearly every business-critical task — from accessing internal tools to using SaaS apps and collaborating with contractors — happens inside a browser. Google Workspace, Microsoft 365, Salesforce, Workday, Adobe, GitHub…the list goes on.

Yet despite this shift, most enterprises:

  • Don’t inventory browser extensions
  • Don’t have visibility into SaaS use from the browser (shadow SaaS)
  • Don’t monitor user behavior in the browser on unmanaged or lightly managed endpoints

And more importantly, most enterprises don’t often think of browsers as a third-party application — at least not the way they do with other SaaS applications. Furthermore, use of open-source Chromium variant browsers, like Vivaldi and Arc, only increases an enterprise’s supply chain risk.

This creates a massive blind spot. The browser is no longer just a window into the internet — it’s the main gateway through which employees access third-party apps daily. And that makes it an extension of your software supply chain.

What JPMorgan’s CISO Got Right — and What Was Missed

Rohan Amin’s letter makes important demands:

  • Accelerate patch cycles
  • Eliminate default credentials and outdated libraries
  • Design for security up front
  • Be transparent about vulnerabilities and remediation timelines
  • Take third-party software risk seriously

These are all essential — and most security teams would agree. But the browser sits unmentioned and is often forgotten in third-party risk assessments. And that’s a mistake.

Why?

Because browsers are:

  • Full-fledged application platforms — running extensions, scripts, and even unauthorized SaaS tools
  • Privileged interfaces — used to authenticate, store cookies/tokens, and transfer sensitive data across enterprise SaaS applications
  • Entry points for phishing, session hijacking, and insider risk
  • Totally unmanaged in many BYOD and contractor scenarios

Gartner agrees. In the recent report, Innovation Insight: Secure Enterprise Browsers, Gartner notes, “Established hybrid work patterns, increased use of lightly managed and unmanaged end user devices and BYOPC in the modern workplace, and increased SaaS adoption have led to more work being done through web browsers.”

Why is this a problem? According to Gartner, that’s because “[threat] actors frequently target employees with phishing attacks to steal credentials and bypass endpoint detection and response controls, necessitating an additional layer of visibility and control within the web browser.”

This is only complicated further with the fact that most “organizations already have two or more browsers (Google Chrome, Microsoft Edge, Apple Safari) and are not fully managing these today. IT’s desire to add another browser due to increased management overhead is low” (Gartner, Innovation Insight: Secure Enterprise Browsers, April 2025).

In other words, everything the CISO’s letter warns about is already playing out inside the browser.

Browsers Are Not in Your Third-Party Risk Program — Yet They Should Be

Let’s ask a simple question: When was the last time your security or risk team reviewed the browser extensions used across your workforce?

Or:

  • Audited user behavior of contractors in browsers on personal devices?
  • Inspected shadow SaaS usage from browser sessions?
  • Monitored web app file uploads to unapproved destinations?

Chances are, these aren’t included in your vendor risk assessment, SBOM processes, or internal GRC controls. That’s a problem.

Because browsers:

  • Load third-party code (via extensions or scripts) that can exfiltrate data
  • Enable shadow SaaS use and extensions that bypass managed app policies
  • Offer fertile ground for credential theft and lateral movement

The browser itself is a software platform. Like any software, it should be controlled, monitored, and included in risk modeling.

How Browser Security (Browser Detection and Response and Secure Enterprise Browsers) Closes This Risk Gap

This is where solutions like Browser Detection and Response (BDR) and Secure Enterprise Browsers (SEBs) come into play. They bring enterprise-grade visibility and control to a layer that’s been ignored for too long. Key capabilities should include:

Extension control and risk profiling — Know what’s installed and block risky plugins
Identity & access management — Prevent unsanctioned SaaS logins
Secure access to internal apps — Ensure that users only access the apps they need, even on BYOD or unmanaged devices
Browser-based DLP — Stop data exfiltration and insider threats by blocking uploads or copy/paste
Shadow SaaS visibility — Detect usage of unauthorized apps, even on BYOD
Phishing and session protection — Block advanced phishing attacks, credential harvesting and lateral movement
Detailed session audit trails — Support threat hunting, incident investigations, and compliance mandates

Fulfilling Your CISO Mandate — Without Blind Spots

CISOs everywhere are feeling the pressure. Regulations like NIS2, DORA, and the SEC’s new cyber disclosure rules demand more transparency, more board-level accountability, and faster detection and response capabilities.

Security leaders must go beyond infrastructure and cloud tooling — and take control of the layers where users and data intersect every day.

That means:

  • Including browsers and extensions in software asset inventories
  • Auditing SaaS usage, including shadow SaaS
  • Controlling what happens in unmanaged browser sessions on BYOD and contractor devices
  • Using BDR or secure browser technologies to provide an enforceable policy perimeter

Secure the Layer Everyone Uses — But No One Is Watching

The JPMorgan CISO’s letter set a high bar. But if organizations respond only by tightening cloud APIs or endpoint agents, they’ll still be missing the most active, high-risk execution environment in their enterprise: the browser.

If you’re not monitoring and securing browser behavior, you’re flying blind — while attackers increasingly target that very space.

Let’s fix that.

Next Steps

13 May 2025


>>More