Digital Skimming and Magecart
Your Website and the Hidden Risk of Third-Party Code
Where is your company headquarters? If you are like most people, you probably answered with the name of a city or the street address of your largest office. I’d like to offer a different perspective: in the digital era, your company headquarters is actually your corporate website. I’d bet that more people visit www.ibm.com each year than visit their physical location in Armonk, New York. In fact, today, a company’s website is the primary point of interaction between it and its customers. And websites and web apps are a new - and many times the only - source of revenue for a company. Think about it, have you ever visited Zappos? I have not, and I doubt it’s even possible for a consumer to do so. Nonetheless, I interact with Zappos often to buy shoes and other accessories.
Stewarding a company’s website or web application - particularly one that is a primary source of commerce - is a huge responsibility. It’s one I’ve had in the past, looking after sites that ranged from tens to hundreds of thousands of visitors per month. This experience, coupled with my work in cybersecurity, has made me keenly aware of the challenges that must be addressed in the role: increasing visits, building engagement and driving commerce, all while continuously offering new and exciting features and keeping the site secure.
Recently, I’ve become aware of new risks to websites: those introduced by using third-party code. In fact, industry estimates state that up to 70 percent of the code used on a site comes from a third party. This is probably true in your organization: your web team is using open source libraries and sites like GitHub to find scripts for common tasks. This lets them focus their efforts on building truly differentiated features that will make your website unique and special. This also helps your web team handle the pressure of taking new capabilities to market quickly. But where do these scripts and snippets REALLY come from? What is the risk you’re assuming? And how much is known about this risk? We decided to find out more about this topic, so PerimeterX commissioned Osterman Research to survey people familiar with the topic. Here are some of the findings:
- Only 11 percent of website decision makers believe they have complete insight into the third-party scripts on their website. Yet 70 percent believe they’d be fired if a data breach occurred from their use.
- Fewer than two in five decision makers can assure their management that their sites are secure and compliant with appropriate regulations.
- Vulnerabilities in third-party scripts are largely unaddressed: only 31 percent believe they have addressed all of the vulnerabilities in their third-party scripts.
These statistics highlight a major disconnect in the understanding and ability to take action to protect a website or web application from vulnerable third-party scripts. They also indicate a huge assumption of risk being taken by people in roles responsible for websites. As the recent $230M fine levied against British Airways shows, these risks must be taken seriously, before they result in data breaches, fines and negative impact to brand reputation.
If you steward your company’s web or e-commerce site, I’d encourage you to read the entire survey report. Also, consider whether or not you have the proper tools in place in your organization to manage these threats. The task may seem daunting, but a new category of solutions is available to help. To learn more about protecting your website from vulnerable third party scripts, visit https://www.perimeterx.com/products/code-defender.
