- Chat and sales facilitation tools
- Analytics, heatmaps & metrics
- Social media linkage
Firewall, WAF, secure connection and many other solutions are focused on securing internal servers and the communication between the browser and these internal servers. As defined above, 3rd party scripts are executed on the user’s browser but are called from a remote serve. This client-side connection operates completely outside of the security capabilities an organization deploys to secure the server side of the browser session.
Source Defense’s Vice was built to be “transparent” to your third parties, we require no special cooperation or integration to operate seamlessly with them.
Malvertising (a term used to describe “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
Magecart is a hacking group that has been active for several years, they are most known for one of the biggest credit card theft ever to be discovered affecting at least 800 websites and operating undetected for over 3 years. Security analysts claim that this group strategically targeted 3rd parties to efficiently scale the scope of the attack and impact as many sites as possible.
DAST is Dynamic Application Security Testing, it is usually active on pre-production environments and does not cover live sites. The few who run DAST on a live site will simulate a few user profiles but cannot possibly scale this solution to monitor and detect all web sessions. As third parties change their behavior from user to user, DAST is largely ineffective in detecting attacks on large production networks and completely ineffective at preventing these types of attacks. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.
RASP is Runtime Application Self-Protection, it exists only on the Java virtual machine and .NET Common Language Runtime. Since it will not run on the actual live site, 3rd parties are outside of its detection scope. Again, RASP is not intended as a prevention solution. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.
Monitoring and detection tools will simulate a limited number of user profiles but not all of them. As third parties may change their behavior from user to user, this is not an effective or reliable means to detecting these attacks. Even on occasions where a hack is detected, organizations still need to react to the hack. This requires initiating incident response, removing important tools from your site and replacing them, notifying your users, compliance reporting and damage your brand.
The 3rd party code on your page is only a reference, it will always initiate a call to a 3rd party server. These calls result in additional code downloaded to the browser of each user. Even if you evaluate all the code provided by third party in pre-production deployment, the code might be changed after evaluation. The website owner can be diligent and still be very easily victimized by this universal vulnerability.
In an idle world you could, however, if you wish to stay competitive, you will need 3rd parties integrated on your webpages as they enrich the experience and provide useful analytics and monetization.
SITE PERFORMANCE AND BEHAVIOR
INTEGRATION, CONFIGURATION, & MANAGEMENT
Integration is very simple. It requires the simple copy/paste of two lines of JS to your site’s head section.
Our experts and machine learning can be leveraged to configure the system for you. Should custom configuration be required the administration console provides these tools.
The system is designed to be low touch. The only time you will need to manage it, is when you integrate a new third party to your site.
You will be notified by the administration console of new third-parties identified as being added to your website. Additional alerts are FYI-only and designed to keep the administrator informed of unexpected behaviors. Since the Source Defense solution operates in prevention mode, no action is required from the administrator to address these event notifications. A dashboard can be consulted as needed to keep the administrator informed of how the system is working on your website.
Yes, the system is built for scale, running of a strong CDN with several redundancies.
Any information that exists on your pages is accessible to a hacker via this attack vector. In addition, there are documented cases when the hacker added fields to forms on websites to get additional information from users.
As proven by the Magecart attack that affected over 800 websites for 3 years, this vector is very hard to detect.
You will need to trigger your incident response teams, engage in cyber analysis to understand the scope of the breach. Then contact your users and start dealing with the aftermath. If you are obligated to GDPR or PCI compliance, you should follow these protocols.