3rd Party Scripts Are Jeopardizing Your Business, Source Defense is Here to Help
Source Defense is the first and only company to offer a real time SAAS solution that protects websites from vulnerabilities introduced through the website supply chain. We've interviewed VP Product and co-founder Avital Grushcovski in order to understand what is the problem with third party scripts, and how it can be avoided. Here's what we found. Share
What is your main objective at Source Defense?
Websites today typically operate with many third-party vendors scripts integrated onto the website. These scripts are designed to enable rich content capability and provide measures of website performance and efficiency. These include analytics, advertising, chat services, social media applications, etc. However, they introduce a problem, because they function outside of the website security perimeter, which is focused on the communication between the user and the website server. This security generally includes firewalls and WAFs which focus on protecting the server-side of the website session.
These third-party scripts operate outside of this security perimeter and introduce a very real client-side vulnerability that is not currently addressed. These scripts are designed to communicate with remote servers which are managed by third-party service providers, completely external to the organization's security infrastructure. Some of the big names include Google, and Facebook, but many smaller third party vendors offer compelling capabilities that are broadly deployed and enhance web experience or enrich analytics.
Today’s solutions are focused around “detecting” this problem post-breach. Source Defense has architected an entirely new approach introducing a paradigm shift focused on preventing this type of attack in real-time through a first of its kind isolation and segmentation technology. Source Defense’s cloud-based SaaS solution allows administrators to assign default or highly customizable policies to every third-party script operating on their webpage.
As an example, an analytics plugin tool can be controlled to ensure it has read-only access to the webpage content. Should this tool become compromised, the assigned policy permissions, deployed via Source Defense, will ensure that malicious activities like adding unwanted content are prevented. Similarly, an ad service, once protected by Source Defense, will only be able to display ads in their designated areas and not be able to create any malicious phishing overlays.
The Source Defense solution was purposefully built for deployment and administration simplicity. Machine intelligence is leveraged to evaluate deployed third-party scripts and assigns default policies per third party service. Additionally, ongoing administration is extremely low requiring little oversight beyond accepting policies for newly deployed third party scripts. Machine learning ensures that these default policies are generally effective. However, these policies may be customized if required.
We consider the Source Defense solution as both a compelling security solution as well as a critical business enablement tool. It allows organizations to quickly and securely deploy third-party tools that enable rich content and capability to their websites.
How has the transition from analog to digital changed the game for financial institutions?
If you look at financial websites ten years ago you'd see few if any, third-party scripts operating on corporate websites. Today, third-party integrations are commonly deployed. The typical bank will have 20-40 third-party scripts operating simultaneously.
Security teams constantly struggle with the challenge of quickly activating the capabilities of these third-party vendors while ensuring the security of the website.
Financial organizations often choose to integrate third-party services onto their websites from well-known and established vendors, because they consider them more secure. This creates conflict between the marketing and security teams because innovative new tools often require extended security validation and jeopardize time to market.
Tag management platforms enable seamless addition of scripts to web pages with a simple user interface. When financial institutions put these tools in the wrong hands the goal of enhancing efficiency may come at great cost due to the exposure to non-validated scripts and tools introduced to organizations.
Financial institutions protected by Source Defense can confidently deploy third-party tools to their websites without exposing their organizations to vulnerabilities introduced by their scripts. These tools can be implemented quickly and securely.
As blockchain technology is gaining popularity, how would you advise financial entrepreneurs to protect their user data?
Source Defense recommends to apply more consideration and diligence to vulnerabilities introduced on the client (browser) side, these emerging sites might have huge transactions in them and having unmanaged third-party scripts operating on web pages might cause huge losses. My advice would be to either adopt a solution that can manage these third-parties or avoid using them as much as possible.
In your opinion, should the Internet be regulated? How?
I don't think the Internet should not be regulated. However, this answer depends on a discussion of "regulated". There's a great risk that simple regulation will evolve very quickly to censorship. That said, I do believe that there are websites that should be taken down and handled. I wouldn’t have ISPs blocking applications, because that's a very slippery slope. However, it's clear that some sort of investigative authority should be funded and supported by governments to avoid some of the unfortunate content and transactions that are enabled by an unmonitored Internet.
What can you tell us about Source Defense's future plans?
We're a fast-growing startup with a first of its kind solution that addresses a very compelling and real threat vector that nearly every organization with a website faces today. Many recent breaches have highlighted the need for this solution. As such, we are engaged in multiple pilots with large multinational organizations and Fortune-500 companies. Our future will see Source Defense expand more deeply into privacy and security, expand integrations and expand support for key compliance requirements like those evident in GDPR. We will remain steadfast in our core goal of assisting organizations with secure business enablement.
We plan to open our new headquarters in the US and plan to significantly grow operations there in the near future.