Why 3rd party JavaScript is dangerous

JavaScript is nearly universally used in dynamic web pages to provide extended functionalities that enhance user experience or provide website analytics. JavaScript interacts with the page’s Document Object Model (DOM) and provides 3rd party JavaScript vendors with the same level of website administration privileges as those granted to the website owner. Compromised 3rd party JavaScript code may be used by threat actors to modify, read or extract any information entered or rendered on the webpage. This includes personal and financial data. In addition to introducing elevated website security risk, 3rd party JavaScript introduces significant compliance and data privacy concerns since 3rd party JavaScript is hosted outside of the security controls website owners are able to monitor and control.

Here’s what you can do …

Luckily, there are steps that can be taken to mitigate or even eliminate the risks of 3rd party JavaScript. Below is an overview of the practical considerations website owners can leverage to protect their companies from the security and privacy risks introduced through 3rd party JavaScript code.

Prevention is the best option

The best thing security pros can do to prevent an attack is to implement technology that controls the access and permissions of every 3rd party JavaScript vendor running on web pages. This insulates websites, their visitors and private customer data from the inappropriate or unwanted behaviors of 3rd parties and the more malicious activities of hackers that seek to exploit them.

Prevention approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by 3rd party website vendors or hackers, an organization is in a state of non-compliance.

Content Security Policy (CSP)

CSP enables administrators to specify the domains that the browser should consider to be valid sources of data, meaning on data from these whitelisted domains can be loaded to the page. This ensures that only JavaScript received from whitelisted domains will be executed. While this methodology can contribute to website security effectiveness, it will not mitigate a breach coming through a whitelisted domain (or vendor). CSP also introduces new challenges for R&D teams as CSP requires substantial configuration and ongoing maintenance. CSP can cause 3rd party tools to stop working when 3rd party JavaScript updates are not accommodated in the CSP.

Sub-Resource Integrity (SRI)

SRI adds a cryptographic hash to JavaScript allowing browsers to verify that files they fetch are delivered without unexpected manipulation . This provides a path to ensure malicious JavaScript won’t be loaded from compromised 3rd parties. However, SRI is notably complex to apply to dynamic JavaScript code. The majority of 3rd party JavaScript vendors continuously improve their services, which results in frequent changes to JavaScript. Adapting SRI to match this dynamic nature can be burdensome and can result in problematic false positives which detract from website effectiveness. In addition, there are many services with dynamic JavaScript that change per user. In these cases SRI is not effective.

Application Monitoring

Monitoring provides a detection-based approach that provides a less secure, reactive methodology. The major inadequacy of detection approaches is that they are incapable of preventing attacks. These include technologies like DAST and RASP. Even with a multitude of global sensors, detection schemes often miss highly targeted and hyper-segmented attacks altogether. Additionally, a detection event signals leakage of customer data and constitutes a compliance violation that requires disclosure. The resulting fines, PR crises, remediation and operational fire drills are often significant. Fundamentally, these approaches are not scalable, and the persistence of the underlying vulnerability renders these approaches ineffective.

Vendor due diligence assessments

Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although, well intended and highly recommended, such exercises provide point-in-time assessments. They do not provide prevention or even continuous detection. Although these assessments should be part of a comprehensive security program they are in no way adequate as a stand-alone approach to mitigating or preventing website supply chain 3rd party risk.

Restricting the usage of 3rd party tools

Exercising a debilitating level of caution by limiting or restricting the usage of beneficial 3rd party tools on websites is generally counterproductive to the overall goals of the business. Limiting the number of tools able to be deployed on an organization’s website limits the ability to provide an engaging user experience and extract meaningful analytics. This methodology makes delivering a compelling, differentiated, and dynamic web presence difficult.

Source Defense V.I.C.E.

Source Defense provides dynamic prevention for attacks of 3rd party origin. Source Defense’s patent pending solution allows security teams to set and enforce security policies to ensure total control of all 3rd party vendors operating on web pages.

Source Defense is easy to deploy, and even easier to manage and maintain. Utilizing machine learning, market best practices and supervised by our data matter experts, the Source Defense platform automates the initial policy definitions thus simplifying administration, deployment and ongoing 3rd party JavaScript integration. Policy settings may be modified by the administrator, but the system is continuously consuming experiential data to eliminate the need for cumbersome, ongoing maintenance.

By removing the security considerations from 3rd party integrations, Source Defense saves countless man-hours spent on tests and integrations. This allows website owners to focus on enhancing user experience and driving web commerce revenues while ensuring the security and privacy of private and payment data.

Start typing and press Enter to search