By Ditsa Keren

Every commercial website includes dozens of third-party integrations that help it grow and maximize its business potential. Unfortunately, these third-parties introduce a client-side vulnerability that leaves websites exposed.

Source Defense uses a real-time sandbox isolation technology that prevents malicious activity originating from website supply chain vendors. In light of the major shift towards remote work under the COVID-19 pandemic, I asked co-founder and VP PS Avital Grushcovski for his advice as to how organizations can tighten their defenses and keep their online operations secure.

Please describe the story behind Source Defense and it’s evolution so far.

Source Defense is one of the few companies formed in the last 2 years that actually created a brand new market and addressed a problem that was never addressed before. It was founded by my best friend, myself and a mutual acquaintance we knew from a company we used to work at.

Throughout our professional lives, we encountered many problems with third-party scripts. I spent 5 years as a product manager for an ad-tech company called Walla, here in Israel, and was in charge of deploying new products to the website. So I had experience with third-party vendors and third-party Javascript. We’ve learned that a lot of problems come from that specific vector. 

We did a lot of research and found that no one has succeeded or even tried to commercially solve the problem of governing third-party access. We have found a few open-source projects that tried to address this, but with little to no success at all. We decided we’d figure out a way to do it, and then my partner came out with the brilliant idea of applying access policies to JS on the web browser. It sounds very simple because we already have it on our mobile phones, but you were never able to do that on the web. 

We developed a patented engine that allows you to very simply say which of the third-party vendors has the privileges to read the page or write to it. For example, a chat vendor might be able to read the page but it can’t read credit card information, usernames and passwords. Basically customizing specific access policies to each one of the vendors running on your pages. 

At the time, no one knew this problem even existed, which actually made it difficult to raise money at first, because we had to convince investors that the problem actually existed. Four years ago, if you were looking for investors and said I’m the only one doing it, the answer would either be that it can’t be done, or there’s no money in it because there’s no way you are the first. 

Read the full article here.