How far back could you trace the food items in your kitchen if you had to determine the provenance of every single piece of produce? Unless you’re growing, catching or raising your own food, chances are the answer is not very far. You may remember the store each item was bought from, but you quite likely have little awareness of the steps that preceded it landing on the store shelves to begin with. The truth is that you probably know precious little about the supply chain that feeds you and your family.
Website computer code isn’t totally different. Many websites rely on third party code to add additional functionality to everything from blogs to online stores. In many cases, this third party code is gathered from yet other third parties.
The good news is that users can build everything from ad tracking to customer reviews to social media integration into their sites without having to fret about building it from the ground up. The bad news is that, by having a lack of awareness of where that code comes from and its possible vulnerabilities, they open themselves up to risk. To return briefly to the food analogy, imagine if you handed over the keys to your front door to your local grocers so that they could enter your house and stock your cupboards up with fresh produce. That would be very convenient and time saving — but would also open you up to risk in the event that someone with access to your home decided to use this to inflict harm.
The TL;DR version? Website operators need to ask themselves “what is web application security?” and work to address this lack of visibility problem that could potentially cost them in a big, bad way.
The lack of awareness problem
Lack of awareness of third party code is a widespread problem. According to a recent report, close to half of United States owners of websites have such low levels of insight regarding the third party code they rely on that they are unable to decisively say whether they’ve been the victims of a cyber breach.
The report noted that 99 percent of firms use extensive software supply chains when it comes to web functionality, with close to 80 percent saying that open source code and third party scripts account for upward of half of their website’s capabilities. But while virtually all involved realized what the impacts of an attack on their web infrastructure could be — ranging from revenue loss to long-term reputational damage — 48 percent would be unable to say definitively if their website had been attacked. That’s bad news for a variety of reasons, with the major one being that, if a website owner isn’t aware they’re under attack, they won’t take steps to remediate this.
The problem appears to be getting worse, too. The same report noted that this 48 percent figure is up from 40 percent who answered this way in 2020. That is particularly concerning when taken into account with other figures suggesting that attacks on software supply chains have exploded by 650 percent in the past year — with bad actors working to inject vulnerabilities into open source projects.
Protecting against attacks
As noted, the impacts of such attacks can be severe, resulting in everything from stolen data to vandalized web pages to methods for spreading malware. One prominent example of online attacks leveled against websites are the so-called Magecart attacks. Titled after the infamous consortium of hackers of the same name who routinely attack online shopping cart systems (often the Magento system), Magecart attacks steal customer data during the online checkout process. Magecart attacks work by gaining access to sites, frequently by way of third party services and the use of malicious JavaScript code.
As more of our shopping is carried out online, Magecart attacks are only going to increase. So, as more of our lives involve the online world — and more is expected of website functionality – so will attacks that target websites via the supply chain.
Organizations need to do a better job of protecting themselves — and, ultimately, their users — against such attacks. Fortunately the tools are there to help. What is needed more than ever is the deployment of web application security solutions to monitor for changes to codebase and block any attempted exploitation of vulnerabilities. Web application firewalls (WAFs) are software and hardware solutions that are able to protect against application security threats, examining incoming traffic and blocking bad requests before they can interact with a particular application. Adopting tools such as this should be a top priority for anyone who operates a website — especially one that features third party code. The risks of not doing anything to cut down on these threats are too severe to contemplate. If you want to do the right thing by your customer, act now and make sure you have the right cyber security solutions in place. The world will thank you for it.
