Source Defense announced the results of a survey that, for the first time, shapes security, privacy and compliance risks, which are literally designed in the digital supply chain of major business websites.
This risk, pervading highly dynamic and unpredictable scripts and third party code and beyond, pervades every aspect of a business web presence. Overall, this report highlights an unfortunately underestimated risk that became most famous in 2018 for stealing the financial and personal information of more than 400,000 British Airways passengers and resulting in the largest fine ever imposed by the British Information Commissioner’s Office (ICO). )
Companies that collect sensitive information, enable business transactions or conduct business through their web features are at constant risk of attack. The pace of adverse activity only increases as retail and e-commerce companies enjoy rapid growth, post-epidemic travel and accommodation needs increase, and healthcare and financial services transactions are moved to more complex and sensitive functions online.
The results of the top line report found an average of 15 externally generated scripts on each site, especially on sensitive pages containing an average of 12 scripts. Financial services were the most vertical, with almost 60% more scripts on sensitive pages, and three times the amount of fourth-party scripts, with double the number per page overall.
Risks lurking in the digital supply chain
The data comes from an analysis of 4,300 of the world’s largest websites across the world’s most common verticals in the first quarter of 2022 to identify both security and compliance issues hidden within the website digital supply chain. The company maps the relative details of third- and fourth-party scripts across each website, on individual pages – including sensitive pages that come in contact with PII, financial data, etc. – and usage and differences across the most common verticals.
“While retail and credit card breaches occupy the most headlines, it poses a widespread and relatively unchecked risk for both security and privacy across all verticals,” he said. Dan DinnerSource Defense CEO.
“This is a rapidly growing and highly volatile problem with sensitive data. Companies and their digital supply chain partners are constantly updating sites and codes, and the most valuable data for malicious actors is collected on pages where business analytics, tag management, and other tracking and management capabilities are most needed. “
Extensive libraries of third-party scripts are available for free, or at low cost, from various communities, organizations, and even individuals, and are extremely popular because they allow development teams to quickly add enhanced functionality to applications and maintain them without the hassle of creating. These packages often contain additional party code that is removed from the deployment agency – and further away.
To make matters worse, they work remotely from third-party servers to provide everything from social media connections to marketing tracking / analysis. If a script is compromised, the shadow code comes with it and goes directly to the browser without the organizational defense capable of detecting it. From there, scripts can exfoliate data on remote servers, redirect users to malicious websites, or lay the groundwork for attacks on formjacking, digital skimming, and certificate collection.
Additional risks were found
- 49% of all sites had external code with the ability to recover form input and “hear” the user’s button clicks, and more than one in five sites had external code with the ability to change forms.
- On average, one in four of all scripts represents a fourth-party code, as does each of the five scripts on a separate page.
- On each page, the analysis found an average of five scripts, including at least one fourth-party script. The number was much higher on the sensitive pages, with an average of 12 external scripts in contact with everything from certificates to accounts and financial statements.
- The two most open verticals were financial services and healthcare, averaging 16 and 13 third-party scripts and 6 and 5 fourth-party scripts, respectively. And on the sensitive pages, the analysis found an average of 19 scripts in financial services and 14 scripts in healthcare.