How to effectively control third-party JavaScript to reduce security risks

How to effectively control third-party JavaScript to reduce security risks

The average website uses at least 30 different third-party scripts to power live chat, dynamic content, and gather user data. These enhancements are a turnkey way for businesses to improve the profitability of their website, but they can also offer backdoor access to cybercriminals. 

In 2018, Magecart groups covertly hacked Ticketmaster, Newegg, British Airways, and others. In the case of British Airways, hackers stole the credit card information and personal details of more than 380,000 passengers in just 15 days.

Why third-party script behavior is a security risk

Cybercriminals use third-party code as a gateway into otherwise secure websites. These scripts have the same access to data and resources as your own code when executed in the browser. Unfortunately, third-party JavaScript is exempt from the security controls your first-party code must pass through because of the Same-Origin Policy. In other words, anything your own code can access, a third-party script can access as well — including customer identity, credit card information, passwords, etc. Also, because third-party code does not run through your internal infrastructure or security controls, a security breach can remain undetected for weeks.

Online businesses rely on third-party code to stay competitive, but they run the risk of an expensive, reputation-ruining security breach. More than 77 percent of websites have at least one known JavaScript vulnerability, and 1 in 13 online requests lead to malware. Yet, the majority of organizations (69 percent), don’t believe their anti-virus software is capable of blocking the threats they’re seeing.

Is your website vulnerable to a Magecart attack?Related Blog

How to protect customers and your business

Consumers are skeptical about online security. Almost 40 percent of US internet users believe buying online puts them at the greatest risk for identity theft or fraud. The same survey also found 48 percent expressed loyalty to companies they trust to protect their personal data. Trust is the key to success in a competitive online marketplace and that means protecting customers from malicious attempts to skim sensitive information. 

Removing all your third-party scripts is one solution, albeit impractical. The best defense is to limit the information third-party scripts can access, but developing a first-party solution is a heavy lift for your internal team and the web page itself. 

Even Content Security Policy (CSP) and Subresources Integrity (SRI) policies could allow sensitive data to be exfiltrated from the browser. A previously whitelisted domain could become infected, or your SRI policy could hash an infected script. On the flipside, approved third-party code could cause parts of your website to break by trying to (legitimately) communicate with a non-whitelisted site.

Why CSP and SRI alone won’t protect you against web skimming attacks like MagecartRelated White paper

Control web security and performance

With Instart Web Skimming Protection, you can use third-party JavaScript without losing control over website security or performance. Instart prevents third-party services from accessing sensitive data and allows you to re-prioritize or disable scripts that negatively impact website performance. 

The average website dispenses 401kb of JavaScript that increases page load time by 6.77 seconds. Instart allows you to defer slow performing scripts as they are assembled in the browser. If any third-party code performs outside of acceptable bounds, you can prevent them from loading. 

Some companies use tag managers to boost performance through asynchronous tag loading. Tag managers, such as Google Tag Manager (GTM), work well for this application, but they do not provide protection against cyber attacks. In fact, GTM creates security risks without a solid internal security framework. 

Instart Web Skimming Protection provides you with full visibility into the behavior and impact of third-party JavaScript, while providing full control that enables you to defer or block scripts as they assemble in the browser or completely restrict unauthorized third-party browser access. This allows you to monitor and limit third-party access to cookies or form fields to prevent the exfiltration of personally information (PII), such as names, passwords, or even credit card numbers.

Reduce risk and take back control with Instart

The average data breach costs $3.86 million, according to research by IBM, and 55 percent of businesses fear hidden third-party code is leaking data. The World Economic Forum recently ranked cyberattacks and data breaches as one of the greatest threats of 2019. Hoping and crossing your fingers is one strategy, but preventing third-party access is a proven solution — an attacker can’t steal what they can’t see.

Third-party scripts power the personalized experiences modern consumers expect and companies rely on for revenue. Instart allows businesses to harness the power of third-party scripts without compromising the security or performance of their web apps.

You spend months and years building a reputation, don’t let hackers tear it down. 

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo