One of the most effective ways to reduce exposure is by using a risk-scoring model. The Peritus model, adapted from OWASP and Duo Security best practices, evaluates extensions across key factors such as publisher reputation, permissions requested, update history, and supply chain safeguards.

The outcome: a simple score that determines whether an extension is low, medium, or high risk — and whether it should be allowed, reviewed, or blocked.

Two Key Defence Strategies

The report also outlines two practical defence strategies:

1. Zero Trust Enforcement & Visibility → posture checks, allow/deny lists, and Prisma Access to ensure unmanaged devices can’t access corporate SaaS.
2. Behavioural Detection & Data Protection → Cortex XDR, DLP, and SaaS monitoring to spot suspicious activity early and prevent data exfiltration.

Together, these strategies move organisations from passive trust to layered defence.

Why This Matters for CISOs

Browser extensions may look trivial, but the risk is anything but. They touch credentials, cookies, SaaS, and core workflows — making them a direct board-level issue.

CISOs who can demonstrate proactive governance around extensions show regulators, executives, and customers that they are managing business risk — not just technical risk.

📥 Download the Full Report

This blog is a summary of our Browser Extension Security Report, the first in a new Peritus Insight Report Series.

👉 Download the full report here

Inside, you’ll find:

• A detailed extension risk scoring framework
• Best practices for governance and incident response
• A roadmap for layered defence strategies

Prepared by Viktor Spetnijs, Lead Cybersecurity Specialist, Peritus Cloud Security

‍