The 7 Ps: The core principle every eCommerce CISO should follow

The 7 Ps: The core principle every eCommerce CISO should follow

In technology, we frequently hear how old-school IT principles still apply to things that we do today. However, it’s often attractive to take shortcuts to meet deadlines, especially in a world where things move at the speed of light.

I was raised in a small English town by my grandparents and looking back, many of the old expressions I got from them apply to my IT career today — in particular, one British military adage that is affectionately known as the 7 Ps.

Being a military saying, the language isn’t always appropriate for a board meeting, so I’ll change a couple of words to make it more palatable:

Proper prior planning prevents painfully poor performance

Cadets or boy scouts would hear this phrase time and time again in training, but it was true in reality. Badly planned missions, or poor preparation, could result in man hours being wasted, millions in resources lost, or in a worst case scenario — human casualties. While today’s battles between the good and the bad guys on the web don’t involve the exchange of bullets, the tactics are the same.

Proper prior planning

Repeat that phrase for a second, and then try to do it with a James Bond style accent — it sounds more important, right? Now, think about the applications and services that you are responsible for as a CISO.

I would imagine you have spent countless hours planning everything from architecture, scale, security, and infrastructure, hashing out all the details and making sure everyone is confident that the product is good to go.

The challenge is that regardless of how much effort you put into this process, there are elements that get overlooked and things that are simply out of your control. Most applications today utilize third-party JavaScript libraries in some form, many of which are open-source projects involving vast numbers of different developers. And similar to the bugs in your own code, bugs also exist in these libraries — leading to unexpected problems and even vulnerabilities.

Preventing painfully poor performance

In practice, it’s hard to prepare for these types of issues since your QA team isn’t tasked with checking third-party code as well as your own first-party code. In addition, libraries are often inherently trusted, especially larger ones like JQuery, which can be dangerous. Due to their popularity, attackers often target their code to find vulnerabilities — there are many versions of JQuery that can be exploited.

The only real solution is to treat third-party scripts as untrustworthy and put protections in place to limit their ability to be used as weapons against your assets. Implementing technologies that enable you to control which parts of an HTML document a script can access prevents third-party JavaScript from being used for credit card skimming or form jacking, the tactic most often employed in Magecart attacks. It is essential to plan for these events to avoid the breaches we’ve seen recently at organizations such as Ticketmaster, British Airways, and NewEgg.

Old principle, new technology

For years, organizations have employed technologies to protect their environments, whether it be an antivirus on the endpoint or firewalls to prevent outside intruders, so the idea of deploying products to protect against the unknown is not new.

There are various tools available to businesses to protect against possible web application threats. Instart Web Skimming Protection provides you with precise control over what JavaScript is able to access on a web page, including HTML form fields and cookies. You’ll also be able to view exactly if and when scripts are loaded, and  be able to manage whether they run. In addition, Instart intercepts all of the API calls made to your website from the browser and blocks access to sensitive data you have not previously authorized.

By providing the ability to control and limit what third-party libraries can interact with, Instart Web Skimming Protection acts as a security barrier in the event that a vulnerability exists, protecting websites and web applications from being at risk to vulnerabilities from a third party.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo