Websites integrate code and resources from multiple – sometimes hundreds – of third-party service providers. The marketing tags, chatbots, user analytics and rich content resources that enhance user experience have essentially transformed today’s websites into collections of web-enabled assets. The massive global supply chain of applications and code that websites draw from contains a potential downside: many of these assets operate outside the security control of the website owner. If they’re not properly secured, they can introduce vulnerabilities that enable client-side attacks. This type of attack presents its own set of risks, some of which can reach deep into your IT environment and threaten sensitive data.
Portable, scalable, hackable
Enterprise websites have long been a major target for attackers looking to steal assets of obvious value such as credit card data, privileged credentials or sensitive information. Vulnerabilities in the website supply chain are an attractive target for achieving this end, not least because of their scalability: a single compromise of a widely used component allows attackers to hit multiple users on multiple sites, all by exploiting the exact same vulnerability. One well-chosen attack on a widely used application gives attackers access to thousands of sites around the world simultaneously.
Needle meets haystack
As website supply chains become more complex and opaque, it’s difficult for organizations to establish precisely how many of these integrations are running on their websites – or who owns and manages them. A lot of the time, they’re added by marketing or web teams, outside the software development lifecycle, often bypassing code reviews and testing. When security teams are rarely part of the development cycle, they lack insight into when/where third-party code is used. What happens to the scripts no one’s using any more? Or the apps running on long-forgotten landing pages? When multiple different teams, with multiple different goals and skills are each working on the same websites and applications, it’s hardly surprising that they could be out of step. It’s a fair assumption that there’s a lot of untrusted, untested code running on enterprise websites that no one knows is there – and that’s the kind of place client-side attackers like to hang out.
What can you do about it? Wake up and smell the Java[Script]
Client-Side Protection is a part of Imperva’s Application Security Suite. Start your Application Security free trial today.
Try Imperva for Free
Protect your business for 30 days on Imperva.