What are Client-side Supply Chain Attacks?
Falling victim to a client-side supply chain attack exposes user data, damages brand reputation and leads to lawsuits due to noncompliance with data privacy regulations. And without the right security protocols, these attacks can go undetected for long periods of time.
Types of Client-side Supply Chain Attacks
Why are Client-side Supply Chain Attacks Difficult to Detect?
Client-side supply chain attacks can easily go undetected for several reasons.
- Frequent code changes - Third-party libraries are continually being iterated on and updated. Even if a script is reviewed when it is first added to a site, it does not mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, often without their knowledge.
- Nth-party vendors - Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for code may be undisclosed, lengthening the software supply chain and increasing business risk. In certain instances, it may be the nth-party script down the line that is vulnerable, which can have a detrimental effect on the entire software supply chain.
- Insufficient security reviews - Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.
Impacts of Client-side Supply Chain Attacks
Client-side supply chain attacks lead to severe business consequences regarding:
- Compliance penalties - Many countries and states have enacted data privacy legislation, including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Businesses are liable for hefty fines if they do not comply with these regulations — even if it’s due to an attack on a third-party vendor.
- Financial liability - Consumers may file lawsuits against businesses that expose their personal data to cybercriminals in a client-side supply chain attack. Brands are liable for any data breach on their site, including one that arises from third-party components and services that are introduced to users from a software supply chain.
- Brand reputation - If your brand suffers a client-side supply chain attack, consumers whose data was compromised will lose trust in your brand and go elsewhere. Furthermore, press coverage of the attack may dissuade new customers from choosing to engage with your company, and it can negatively impact your stock price if you are a public company
All in all, client-side supply chain attacks lead to severe financial losses. In some cases, top executives may be forced to resign, as happened to the CEO of Target following a data breach resulting from supply chain code.
How are Companies Fighting Client-side Supply Chain Attacks?
Traditional cybersecurity solutions like Web Application Firewalls (WAFs) are insufficient in protecting the client-side against digital skimming and PII harvesting attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of malicious code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration and deployment cycles. Content security policies (CSP) are often the first step for many web application security professionals. Because CSPs were originally used for protection against cross-site script execution, they need a lot of tuning. CSPs alone don’t provide any protection against a compromise of a trusted domain that can be used to inject a skimmer on the website. Feels like we also need to add a comment here about the all or nothing nature of CSP - a script is on or off - and that the need for more granular control is key…
Modern client-side application security solutions can continuously monitor all of the scripts on your website for anomalous behavior and automatically groom CSP rules to help stop digital skimming and PII Harvesting.