Building and managing a successful website often involves adding various 3rd party tools that improve user experience, reduce costs, and more. While their benefits are clear, these tools pose a significant security vulnerability to your website, because they scientifically increase the attack surface of your website. These type of Magecart attacks on websites are on the rise, simply because they are a relatively easy entry point for hackers. Rising consumer awareness and increasingly stricter regulation leads to enormous costs and damages, so much so that companies can no longer afford to leave their websites unprotected from these Magecart attacks.

Even with in-depth knowledge of available solutions, it can be difficult and overwhelming to find the one that suits your needs and provides adequate protection. To make your life easier, here are six questions to ask potential website security solution providers before choosing who to work with.

Here are the six questions you have to ask when evaluating website security providers

Question 1: what is your MO?

There are many relevant solution providers out there, each with a different approach to dealing with 3rd party, script-related vulnerabilities. Asking potential website security vendors about which method they employ should be your starting point. Let’s briefly discuss these approaches.

  • Content Security Policy (CSP) – CSP is used to prevent clickjacking, cross-site scripting, and various code injection attacks. It’s designed to prevent code from unauthorized sources to be executed on the website. With CSP, administrators can create a whitelist of safe domains and ensure that only JavaScript received from these valid sources is executed. This is a great way to prevent breaches from unknown sources, but it does not prevent a breach from a whitelisted domain. CSP also requires more resources, due to the amount of configuration and expertise needed to apply them, not to mention ongoing maintenance. In addition, any misconfiguration can cause 3rd party applications to malfunction.

  • Sub-Resource Integrity (SRI) – This security approach allows browsers to verify the files they fetch and ensure they have not been manipulated in any suspicious way. This is done by adding an agreed upon hash value to the file request. If the hash does not match, the file will be rejected. This way, unauthorized changes to the JavaScript are not loaded. However, using SRI can be cumbersome when applying it to dynamic JavaScript, which in most cases are regularly updated to add features and fix bugs. Each time an update or change is implemented, a new hash must be applied as well. This not only requires more resources and manpower, but it also increases the chance of human error and false positives. In some cases, SRI cannot be adopted at all – for example when a dynamic JavaScript service changes for each user.

  • Monitoring and Detection – This approach lets you monitor and detect suspicious activity. Malicious scripts can be removed as soon as an alert is triggered, but it might be too late for some of your users who may have already been exposed. Monitoring and detection can help reduce the number of compromised users, but it does not eliminate the problem. You are still obligated to notify your users, trigger incident response teams and cyber analysis. The damage to your brand and the operational costs is huge.
  •  Real-time client-side sandboxing – A technology that automatically regulates how each 3rd party JavaScript vendor can access your content. This method provides constant real-time prevention, allowing you to protect your assets and sensitive data from suspicious and malicious 3rd party behavior. Client-side sandboxing is the most effective method to secure your website data.

Question 2: Smart detection or real prevention?

There are many different types of detection solutions out there, some more advanced than others. The smartest forms use various sensors and advanced technology to detect attacks and alert you as quickly as possible. They do not, however, prevent attacks from occurring in the first place. Real prevention will control access and permission of every 3rd party JavaScript vendor on your website, preventing most attacks from occurring in the first place.

Question 3: How will it impact user experience?

Companies invest immense resources in creating the best possible user experience – and optimizing it regularly. User experience is critical to your reputation and revenues, and you shouldn’t have to compromise it for the sake of better protection from potential data breaches. Make sure that the solution you select works seamlessly in the background, without affecting user experience.

Question 4: What is the operational overhead?

Aim for a solution that works as seamlessly and automatically as possible, one that requires little to no management in order to work effectively. Shoot for the stars and look for a solution that smartly employs artificial intelligence and machine learning. Automatic adjustment and permissions and policies access means minimum involvement and configuration on your end.

Question 5: How will it affect the bottom line?

Whatever the solution, it will come at the expense of time and budget. But if it works, it will prevent breaches and the significant costs associated with them, keeping the net bottom line in the green zone. Some solutions, however, may break your 3rd party operations and hurt your bottom line, sometimes in ways that are extremely hard to detect. In CSP for example, it is commonly suggested to block the creation of foreign iFrames, because they enable scripts to escape the CSP “cage.” It is also the only way for a script to save 3rd party cookies – a must for any remarketing/DMP/RTB system.

The effect, in this case, might not be visible right away, and it could take weeks for your marketing teams to figure out why traffic is in decline before you realize that your trackers (which are probably most of your scripts) are no longer working properly.

Question 6: How will the selected solution handle new and evolving threats?

Threats are constantly evolving, and an effective solution must evolve at the same pace and do so automatically.

How does Source Defense stack up?

Source Defense provides a 3rd party JavaScript security solution that prevents attacks in real-time using machine learning and AI technology. It works in the background, without affecting user experience, and automatically adapts to new threats. It is a real-time prevention solution that doesn’t require complicated or lengthy implementation, allowing you to use as many 3rd party tools as needed without having to worry about long implementation and time-to-market delays. Not only does this guarantee the most effective protection against breaches, it also lets your marketing team to get more out of your website and drive your business further and faster, without compromising on security, compliance, and user experience.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.