Most websites today have integrated third-party scripts from a variety of vendors not always understanding the full implications or risks they’re undertaking by doing so. Often times, these scripts, loaded from vendor servers such as ad servers, analytics, or marketing, come laden with malware and lack the level of security needed to protect visitors to the site. This lower-level security can result in the third party being hacked as we’ll discuss more in depth. While it’s practically impossible to avoid using third party vendors, it’s vital that companies are aware of the risks associated with them.
The problem starts with third party security, or rather, the lack of it. Third party code is only activated on a visitor’s web browser, thereby bypassing the main site’s web server and more to the point, their security measures. In other words, the website operator may never know if the remote host is compromised or that the third party script they’ve embedded has been manipulated to distribute malware or that their users accounts have been accessed. This malware or unauthorized access can then be spread to millions of siteaffect millions of visitors with no warning.
Ultimately, the best solution is to have a procedure in place to vet the third party security and trustworthiness of any widget a publisher is considering installing. Companies can utilize an engine that’s loaded into the visitor browser allowing it to react in real time to each action the script is taking. An engine of this kind can implement the following third party security features:
Implementing a solution such as this will allow the engine to control the actions of third party scripts on a site while still reaping the benefits of utilizing web widgets.
CEO Source Defense