The majority of the code on your website isn’t yours — but when it comes to how that code impacts your site and your users, it’s your reputation and revenue that are on the line.
70% of the code on a typical site isn’t developed in house, but is instead derived from open source libraries and third-party partners. This allows developers to quickly bring functionalities to market, improves site performance and enables marketing and e-commerce teams to track and analyze web traffic.
Third-party code is often added from trusted sources to enable specific and necessary functions, so it may not be analyzed as closely by your security team. It may be introduced or changed without formal security validation and, because of this, website owners lack complete control and visibility into what’s happening with this code when a user visits their site.
Also known as shadow code, this code loads content dynamically from third-party domains on users’ browsers. Frequently, a third-party script calls on another script which calls on another, creating a veritable supply chain where a vulnerability in an Nth-party script could put the whole chain at risk.
Cybercriminals take advantage of this client-side blind spot to launch Magecart, digital skimming and formjacking attacks. Website owners know that third-party code introduces risks, but the gains in time to market and capability are too critical in today’s fast-paced digital market. So assuming that third-party code isn’t going away, the question is: how can online businesses get these benefits while mitigating the risk?
Static Code Analysis
Static code analysis — also known as Static Application Security Testing (SAST) — is a method of debugging in which an application’s source code is examined before a program is run. This process is usually done by analyzing the code against a given set of rules or coding standards, or in conjunction with build and release cycles to mitigate developer errors that could break functionality, impact performance or introduce a security vulnerability
The biggest advantage of static code analysis from a security perspective is the ability to proactively identify potential code vulnerabilities introduced on new builds and releases before they are rolled out to production.
Static code analysis only captures specific code patterns or explicit use of problematic code. Malicious scripts are aware of their execution environment and will only load in a real client-side environment. Since problematic code will not be present during the scan, static code analysis will not catch it.
Furthermore, scripts that are loaded at runtime in the browser from external domains in a cascading way are not available for scan. In addition to its dynamic execution, third-party code is frequently changed or updated, often without you knowing it.
External scanners inspect script behavior in an external sandbox to detect malicious intent. They capture a moment-in-time snapshot of vulnerabilities in website code.
External scanners provide immediate visibility without having to deploy anything to your website. They give you a sense of what scripts are running, what domains are being communicated with and can alert you to known vulnerabilities that appear during the scan, so you can take the necessary steps to mitigate the risk.
Malicious scripts are often designed to evade detection by external scanners. They purposefully only target a small percentage of users, so it is unlikely that they will be running during any particular moment-in-time scan. Scripts could be compromised at any point between scans or downstream on cascading scripts loaded dynamically.
Cybercriminals increasingly use scripts that load dynamically to avoid static malware scanners and remove themselves from memory when they detect the possibility of static code analysis or developer tools being accessed. Even if an external scanner does find malicious activity, all they can do is issue an alert; they cannot actually block it.
Content Security Policy
Content security policy (CSP) was designed to act as sort of an in-browser firewall to help mitigate client side threats such as cross-site scripting (XSS). Essentially, CSP lets you create a preset ‘allow list’ of what domains can be used in a few different contexts in an attempt to limit the execution of untrusted code or sending out data to malicious domains. CSP is configured on the web server or injected via a content delivery network (CDN), either as an HTML meta tag or as a content-security-policy header.
CSP can prevent malicious script injections from loading and block data transfer, thus thwarting some cross-site scripting (XSS) attacks. It limits what scripts a browser can load for a given website and restricts network communication to specific domains, which may be used to exfiltrate stolen data.
CSP directives require an up-to-date source list, which is difficult to manage given the heavy reliance on third-party scripts that frequently change. They cannot prevent a script from modifying the document object model (DOM) or writing to local storage, among other limitations. In addition, CSP can be disabled by browser extensions.
Most importantly, CSP is only applicable to preventing attacks sending data to third-party domains. It does not protect against first-party compromises or attacks that send data through a trusted domain on the allow list, such as Google Analytics. CSP can block or allow, but it doesn’t actually provide visibility into the behavior of your scripts. If a trusted third-party vendor script on your site was compromised or acting in a way that violates privacy or PCI compliance, CSP wouldn’t be able to detect or mitigate.
Behavioral monitoring solutions analyze how your scripts behave in your real users browsers, including downstream communication. It allows you to detect any changes or risky and anomalous behavior, regardless of whether it’s a first, third or Nth-party script.
Behavioral monitoring is the best way to detect malicious code and potential privacy or PCI compliance issues, but it cannot block scripts.
The Right Solution
Each of the approaches presented above have valuable benefits, but will leave gaps in your security infrastructure if relied on alone for protection.
- Static code analysis is a useful checkpoint, but it does not account for the dynamic, real-world behavior of today’s code.
- External scanners provide a helpful snapshot, but they are easy to evade, do not measure code changes, and cannot actually block malicious scripts.
- Content security policy (CSP) effectively blocks malicious scripts, but it is difficult to manage manually, only works for third-party scripts, and has limited directives.
- Behavioral monitoring acts in real-time to continuously analyze first- and third-party scripts, but cannot actually block them.