By Source Defense

The COVID-19 pandemic forced a fundamental shift in the way people engage with brands and the way businesses provide products and services. The digital user experience has become the center of gravity for companies large and small, and there’s no going back.

The shift online, with all of its benefits to businesses and consumers, also introduces serious risks to your business. As someone involved in the business side of digital, you need to understand these risks. The first comes in the form of data leakage – which could put you at risk of millions in fines for non-compliance with data privacy standards like GDPR and PCI DSS. This leakage occurs when the partners that you plug into your website overreach and capture data that is governed by data privacy compliance requirements. The logic behind this may be solid – track the user’s interests, offer customized browsing workflows, suggest additional products, etc. But even if the intent of the activity is pure, you have the responsibility to protect this data, its usage and how it is shared – so you have a responsibility to know and control the actions of these partners. The second comes in the form of data theft. Your online properties are an extremely attractive attack surface for cybercriminals who want to steal sensitive information from your clients. 

The web browser front-end not only delivers a brand experience to users but also actively harvests all sorts of sensitive information from visitors – sometimes this is done by your 3rd party partners, sometimes it is done by cyber scum. Cybercriminals are increasingly targeting client-side applications to steal credentials, financial transactions, payment card data, healthcare data, and other personally identifiable information (PII).

Client-side attacks, such as formjacking, credential harvesting, digital skimming, and Magecart, were first recorded in 2014 and have been on the rise ever since. This is an underreported, overlooked, and often neglected aspect of web app cybersecurity. As a result, client-side attacks are becoming more frequent.

Both data leakage and data theft have cost some of the world’s largest brands tens of millions in security response costs, fines and judgments. These incidents damage brand reputation and run the risk of turning your burgeoning online growth into a detrimental aspect of business operations. You need to be an active partner with Security and Compliance/Risk teams in controlling the 3rd party digital supply chain.

What’s At Stake?

Digital user experience is critical to business success, but if you fail to control your digital partner ecosystem, you could one day be responsible for a business-impacting compliance fine or cyber breach. The JavaScript running on your customer-facing sites — whether they be the first party code your teams have implemented or the potential dozens of 3rd, 4th, and 5th party scripts that your supply chain partners run on your site — need to be monitored and controlled to prevent compliance policy violations and to prevent opening the door to client-side attacks like Magecart, formjacking, digital skimming, and credential harvesting.

Typical web properties rely on dozens of these supply chain partners for script that is either dynamically loaded or externally controlled. This third-party script delivers various rich functionality, including ads, analytics, social media, trackers, and much more, to enhance the customer experience and generate revenue. That’s the good news.

The bad news is that these scripts represent unmanaged and unprotected shadow code, effectively the soft underbelly of any large website for adversaries to attack. Dynamically loaded scripts introduce code variability on an unmanageable scale, drastically increasing the chances of compromise.

A New Approach is Needed

The traditional approach to ensuring web application security involves hardening the server-side of the equation. It also involves lengthy code reviews by committees involving Digital/Ecommerce, Security and Governance, Risk and Compliance teams. You may be involved with such a committee – we often hear them referred to as “script councils.” Even when these steps are in place, such reviews are only valid when conducted and immediately become outdated once the code is updated (which can happen hundreds of times per month for some Javascript code). Traditional server-side security is also inadequate because client-side scripts operate completely outside of the security capabilities an organization deploys to secure the server side of the browser session.

To continue driving the digital experience forward, you need to partner with Security and Compliance to mitigate the risk. You need to start a conversation with them about the issue and come together to drive the business forward without the fear of millions in potential losses.

The good news is that there are solutions available that offer a win-win-win proposition

The best approach to client-side web app protection is a prevention-first solution that’s purpose-built to detect, protect, and prevent client-side data leakage and web app attacks in a way that: 

  • Enables you to control what partners go on your site and when 
  • Gives you full visibility into the actions of these partners – and a mechanism to control their actions to fit your data privacy policies 
  • Doesn’t add operational burden for the cybersecurity team
  • Speeds time to market with new third-party capabilities or content

The Source Defense patented Website Client-Side Security Platform offers the most comprehensive solution to detect website skimming, formjacking, and supply chain attacks and stop them before they affect your website or your customers. Source Defense reduces risks and vulnerabilities while providing an optimal user experience. It’s also architected for deployment and administration simplicity. On average, Source Defense users spend less than five hours per month managing the solution on their production websites.

Source Defense’s product is designed to offer web application client-side protection to enterprise websites against the client-side threats that other products overlook.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.