Website Risk Analyzer Finds Threats in Your Third Party Code

PerimeterX recently released a free scanner to help you quickly assess script-related security risks in your web applications. If you want to skip the details and check it out right now, click here. Or keep reading for more detail on why script-based vulnerabilities are so common and how to address the issue long-term.

As experienced security professionals, most of you are familiar with the security axiom “you can’t protect what you can’t see.” Maintaining line-of-sight into your web applications environment is the foundation for implementing effective security controls and remediating risks before they are exploited.

Visibility into the security risks within public-facing web applications is a particular area of concern for security teams for two reasons: First, they are a very commonly targeted attack surface by bad actors for digital skimming, formjacking and Magecart attacks. Second, many development teams rely heavily on third-party scripts and open source libraries such as React and jQuery in order to deliver new application functions quickly.

However, as the code that enables this increased velocity is not developed in house, application developers do not have full visibility into all the actions and external domains accessed by these scripts in runtime. Nevertheless, the scripts are assumed to be trustworthy and often incorporated into the web app without going through full code reviews or security validations, resulting in what we call “shadow code.” And even code that has gone through review has the runtime risk mentioned above. This security blindspot is a goldmine for cybercriminals, who search for vulnerabilities in open source libraries to inject malicious code.

In fact, shadow code is so widespread, Web Almanac found more than 4 out of 5 of the web’s most popular sites use a JavaScript library or framework with at least one known security vulnerability. And Osterman Research’s 2020 Application Security Risk Survey found that 92% of website and security owners don’t have adequate visibility into the third party scripts on their site. It’s no wonder security analysts are constantly asking themselves what vulnerabilities they might have missed.

As I said at the beginning of this post, visibility is the foundation of protection. The good news is that getting a base level of visibility into potential web application risks doesn’t have to be complicated. PerimeterX has released Website Risk Analyzer, a free Chrome extension that analyzes web applications for script-related vulnerabilities and suspicious behavior in a matter of minutes. With Website Risk Analyzer, web development and security teams can quickly assess whether their application scripts contain known vulnerabilities, are accessing PII or credit card details, or are connecting with known suspicious domains and creating risks.

While Website Risk Analyzer is extremely valuable in helping security teams quickly uncover hidden security risks at a point in time, it’s not the complete solution. Application scripts change frequently to keep up with evolving business needs, and third-party scripts may be updated by vendors without formal notifications. To ensure constant visibility into potential application risks over time, you must establish a baseline of normal or expected behavior and maintain persistent monitoring of script behavior to immediately alert you about suspicious anomalies. If you’re interested in learning more about how to utilize behavioral analysis and advanced machine learning to provide ongoing protection against script-related threats, I encourage you to check out our Code Defender solution.

And if you are part of that 92% that doesn’t have adequate visibility into the scripts running in your web applications, download Website Risk Analyzer. It’s fast, it’s easy, and it’s free — and you might just be surprised by how much you can learn with a quick scan.