SBOM for Websites?

By Source Defense

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency, recently released guidance for organizations on securing their software supply chain.

The publication, which follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers, provides recommended practices for customers to ensure the integrity and security of software during the procuring and deployment phases.

“Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations,” the guidance states. “All organizations have a responsibility to establish software supply chain security practices to mitigate risks.”

Although the guidance mentions using a Software Bill of Materials at least eight times throughout its 45 pages, it fails to adequately address the widespread use of third, fourth, fifth, and even sixth-party code in the vast majority of the world’s modern web applications.

Gartner estimates that 40% to 80% of the lines of code in new software projects come from third parties. “Most of this external code comes from myriad open-source projects; the remaining proprietary code comes from suppliers that provide little or no transparency to its status or condition. To complicate things even further, many open-source software (OSS) dependencies are undermanaged and understaffed,” the report states.

Source Defense research reveals a similarly difficult challenge regarding the digital supply chain for client-side web applications. Source Defense’s analysis of the top 4,300 websites by traffic worldwide shows the average number of third-party scripts in use is 12. On the average website, 12 third- and fourth-party scripts appear on at least one sensitive page, such as a login and credential capture page.

In the retail sector, for example, the average ecommerce website uses dozens of third-party tools. Retailers say they plan to add an average of 3 to 5 new third-party technologies to their sites annually. These third-party tools are the mechanism by which cybercriminals intercept and steal customer data.

Threat Landscape Changing

The CISA guidance explicitly highlights the need for organizations to be aware of changes in the threat landscape, particularly the methods attackers use to compromise client-side and server-side applications. “Rather than waiting for public vulnerability disclosures, threat actors proactively inject malicious code into products that are then legitimately distributed downstream through the global software supply chain,” the report states. “Over the last few years, these next-gen software supply chain compromises have significantly increased for both open-source and commercial software products.”

The guidance recognizes that the COVID pandemic has pushed many organizations to quickly adopt SaaS applications at the expense of security monitoring and reviews. Many of these applications are focused on enhancing, improving, and optimizing workflows and customer engagement online. The guidance specifically recommends organizations design or acquire “a mechanism to monitor and scan third-party applications which are directly connected to the cloud environment.”

Not surprisingly, this same type of guidance can be found in the latest update of the Payment Card Industry Data Security Standard (PCI DSS) – where the PCI Council explicitly calls for all third-party JavaScript used on payment processing websites to be inventoried, monitored and prevented from being compromised. 

Waiting to act is simply waiting to be attacked. Request a demo of the Source Defense platform and get a personalized threat analysis for your business.

About Source Defense

Source Defense is a security and data privacy compliance platform for any website that collects sensitive data or is transaction oriented. It addresses a ubiquitous gap in the management of third-party digital supply chain risk with a model that extends security beyond the network to the client-side. As the market leader in web application client-side protection, Source Defense provides real-time threat detection, protection and prevention of vulnerabilities originating in JavaScript.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.