Website security and the overlooked risk in the third-party supply chain


Today’s Source Defense columnist Hadar Blutrich writes that third-party JavaScript is often overlooked in discussions of large-scale supply chain attacks like SolarWinds. (“SolarWinds Letters” from sfoskett is licensed under CC BY-NC-SA 2.0))

Supply chain security has become a major issue in our industry based on the impact of high profile breaches such as: Kaseya and Solar Winds. When SolarWinds was hacked in 2020, the problem of third-party risk became apparent as it impacted large government agencies and countless private sector companies like Microsoft and Cisco. Kaseya added fuel to that fire, with the FBI describing the Kaseya attack as a supply chain ransomware attack that exploited a vulnerability in the Kaseya VSA software against several MSPs and their customers.

Even before these incidents, the InfoSec community has been closely examining and focusing on the risks introduced by third-party software. Is the cooperation with the partners in the supply chain secure? How can companies protect their business processes, trade secrets and the customer data they manage from potential security threats in the supply chain?

There is one element of third-party supply chain risk that is often overlooked, and it is one that has a more immediate and clearly quantifiable impact on a potentially impacted organization’s bottom line. We talk about the dynamics of website security and the risk of third-party JavaScript playing a role in everything from credit card theft to widespread fraud and potentially massive fines.

Client-Side Attacks: Risk to third-party digital supply chains

The vast majority of websites operating worldwide have vulnerable supply chains. Businesses likely have a dozen or more third-party vendors helping them improve their website experience. These partners load client-side JavaScript, which is often used as an attack vector.

When these partners load JavaScript on the client side, they introduce security issues that are outside of any server-side protections that security teams have put in place. Because the main focus of website security (up to this point) has been on the server side, the client side has become a vulnerable area in supply chains – widely unaddressed and all too often overlooked.

Already this year, there have been numerous headlines about large-scale client-side attacks – thousands of websites have been recently affected and millions of consumers have been compromised. Segway is one example: its e-commerce store was infiltrated by a Magecart attacker who stole credit card details and customer information. So how does this keep happening to big companies who would surely have top-notch security measures in place?

The Answer: Most organizations don’t understand the scope and importance of the risk they face.

Understand client-side attacks

JavaScript enables most of the functionality that organizations rely on and that their users take for granted on a company’s website, such as interactive behavior, filling out web forms, and completing credit card transactions.

At the same time, JavaScript has become attractive to attackers because it passes data between users—particularly personal and financial data. This opens up a huge risk of a breach and the resulting cleanup response costs. It also opens up the risk of significant follow-up costs in the form of fines and judgments. As privacy laws become more enforceable, businesses could be held liable if consumer data is stolen due to vulnerable JavaScript on their website.

In these cases, the logic is loaded and executed on the client side (in the browser), on top of protecting server-side security. Third-party scripts have the same level of control as the site owner’s own internal script. Every script on the page, regardless of its origin, has access and authoring capabilities, which means they can modify the web page, access any information on it, and even record and save keystrokes.

All a threat actor needs to do is hack a third party and modify the source code. This code is downloaded dynamically from a remote server, which means it bypasses traditional server-side security infrastructure, including the website owner’s firewalls and WAFs.

The damage that third-party JavaScript attacks can cause in supply chains

The threat of JavaScript-based attacks exists for all organizations that collect sensitive data or conduct transactions through their web properties. These attacks include:

  • clickjacking;
  • digital skimming;
  • formjacking;
  • disfigurement;
  • magic card;
  • Collection of Credentials.

These client-side attacks have harmed some of the biggest brands in the world. In 2020, British Airways was ordered by the ICO to pay $26 million over a data breach that affected more than 400,000 customers. The stolen data included: credentials; payment card details; travel booking details; as well as name and address data.

The security of the software supply chain has become a top concern for companies of all sizes and industries. And this needs to go beyond what companies are currently focusing on to include prioritizing the digital supply chain on their website. Organizations cannot afford to ignore customer cybersecurity concerns if they want to avoid compliance issues and major security breaches that could negatively impact their reputation.

Hadar Blutrich, CTO, source defense

Source link
#Website #security #overlooked #risk #thirdparty #supply #chain

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.