3rd Party Scripts Are Jeopardizing Your Business, Source Defense is Here to Help

Source Defense is the first and only company to offer a real time SAAS solution that protects websites from vulnerabilities introduced through the website supply chain. We've interviewed VP Product and co-founder Avital Grushcovski in order to understand what is the problem with third party scripts, and how it can be avoided. Here's what we found. Share

Avital-Grushkovski source defense

What is your main objective at Source Defense?

Websites today typically operate with many third-party vendors scripts integrated onto the website.  These scripts are designed to enable rich content capability and provide measures of website performance and efficiency.  These include analytics, advertising, chat services, social media applications, etc. However, they introduce a problem, because they function outside of the website security perimeter, which is focused on the communication between the user and the website server.  This security generally includes firewalls and WAFs which focus on protecting the server-side of the website session.

These third-party scripts operate outside of this security perimeter and introduce a very real client-side vulnerability that is not currently addressed.  These scripts are designed to communicate with remote servers which are managed by third party service providers, completely external to the organizations security infrastructure. Some of the big names include Google, and Facebook, but many smaller third party vendors offer compelling capabilities that are broadly deployed and enhance web experience or enrich analytics.

Unfortunately, when these third-party vendors are compromised the resultant attacks can, in turn, compromise all of the organizations that have integrated the services of this third-party vendor.  We’ve seen many and recent examples of this attack type including the April, 2018 breach of Delta, Best Buy, Sears and Kmart that originated from the compromised service of a reputable third party vendor JavaScript they had all deployed on their websites.  A significant volume of credit card data was stolen which has resulted in significant remediation costs and reputational damage to these prominent vendors.

If we consider that the origin of JavaScript has no effect over the level of access it has to the page. That every script can add/remove data from the page, perform unwanted actions and even record key strokes as the user types them. The lack of controls over how JavaScript is designed to function make third-party JS an increasingly popular attack vectors for hackers.

Today’s solutions are focused around “detecting” this problem post-breach. Source Defense has architected an entirely new approach introducing a paradigm shift focused on preventing this type of attack in real time through a first of its kind isolation and segmentation technology.  Source Defense’s cloud-based SaaS solution allows administrators to assign default or highly customizable policies to every third-party script operating on their webpage.

As an example, an analytics plugin tool can be controlled to ensure it has read-only access to the webpage content.  Should this tool become compromised the assigned policy permissions deployed via Source Defense ensure that malicious activities like adding unwanted content are prevented. Similarly, an ad service, once protected by Source Defense, will only be able to display ads in their designated areas and not able to create any malicious phishing overlays.

The Source Defense solution was purposefully built for deployment and administration simplicity. Machine intelligence is leveraged to evaluate deployed third-party scripts and assigns default policies per third party service. Additionally, ongoing administration is extremely low requiring little oversight beyond accepting policies for newly deployed third party scripts.  Machine learning ensures that these default policies are generally effective.  However, these policies may be customized if required.

We consider the Source Defense solution as both a compelling security solution as well as a critical business enablement tool.  It allows organizations to quickly and securely deploy third-party tools that enable rich content and capability to their websites.

How has the transition from analogue to digital changed the game for financial institutions?

If you look at financial websites ten years ago you’d see few, if any, third-party scripts operating on corporate websites. Today, third-party integrations are commonly deployed.  The typical bank will have twenty to forty third party scripts operating simultaneously.

Security teams constantly struggle with the challenge of quickly activating the capabilities of these third party vendors while ensuring the security of the website.

Financial organizations often choose to integrate third party services onto their websites from well-known and established vendors, because they consider them more secure. This creates conflict between the marketing and security teams because innovative new tools often require extended security validation and jeopardize time to market.

Tag management platforms enable seamless addition of scripts to web pages with a simple user interface. When financial institutions put these tools in the wrong hands the goal of enhancing efficiency may come at great cost due to the exposure non-validated scripts and tools introduced to organizations.

Financial institutions protected by Source Defense can confidently deploy third party tools to their websites without exposing their organizations to vulnerabilities introduced by their scripts.  These tools can be implemented quickly and securely.

As block chain technology is gaining popularity, how would you advise financial entrepreneurs to protect their user data?

Source Defense recommends to apply more consideration and diligence to vulnerabilities introduced on the client (browser) side, these emerging sites might have huge transactions in them and having unmanaged third-party scripts operating on web pages might cause huge losses. My advice would be to either adopt a solution that can manage these third-parties or avoid using them as much as possible.

In your opinion, should the Internet be regulated? How?

I don’t think the Internet should not be regulated.  However, this answer depends on a discussion of “regulated”. There’s great risk that simple regulation will evolve very quickly to censorship. That said, I do believe that there are websites that should be taken down and handled. I wouldn’t have ISP’s blocking applications, because that’s a very slippery slope.  However, it’s clear that some sort of investigative authority should be funded and supported by governments to avoid some of the unfortunate content and transaction that is enabled by an unmonitored Internet.

What can you tell us about Source Defense’s future plans?

We’re a fast-growing startup with a first of its kind solution that addresses a very compelling and real threat vector that nearly every organization with a website faces today.  Many recent breaches have highlighted the need for this solution.  As such, we are engaged in multiple pilots with large multi-national organizations and Fortune-500 companies. Our future will see Source Defense expand more deeply into privacy and security, expand integrations and expand support for key compliance requirements like those evident in GDPR.  We will remain steadfast in our core goal of assisting organizations with secure business enablement.

We plan to open our new headquarters in the US and plan to significantly grow operations there in the near future.

Was this helpful? Share it!
Share on Facebook
0
Tweet this
1
Share if you think Google does not know enough about you
0