In order to create and deliver this functionality, most websites contain hundreds of thousands of lines of code – code which has been created internally by the site owners and code which comes from third-party libraries. In fact, the average website today uses around 60 third-party libraries within their site, providing everything from analytic and telemetry tracking from large technology providers to small user interface tweaks from open source projects.
A traditional development mindset
Using third-party libraries is not a new concept when it comes to development – in fact, software has been created this way for decades. When creating software, it is simply not possible for organizations to produce every piece of functionality themselves in most instances as they do not have the time or resources. Instead, developers will use both commercial and open-source libraries to add functionality to their online properties.
While including third-party code certainly has its risks – for example, a rogue provider could have included some malware in its library – in most cases, there is a significant testing process which checks many things including security. Before releasing a product to customers, most developers will reach a point where they are satisfied with the general usability and no security issues exist. If any part of the code changes – for example, the third-party provider creates a new library – the developers would go through the test process again before delivering a new product to its customers.
However, there is one significant difference between traditional development and website development which is in how these libraries are ultimately delivered to users. With traditional applications, third-party libraries are compiled into an end product at development and build time and packed into the resulting binaries. If the developer changes a library, they then need to create a new product for customers to use – basically, if a developer changes code, then the product which the customers are using does not change until they get a new build.
With websites, libraries are downloaded, usually from the library vendor, each time a page is requested. In this model, code can change often – with some vendors changing their libraries multiple times a day – and if an organization’s website includes such libraries, their users are running the current version of this code each time they visit.
Organizations often do not know whether their third-party providers are secure
Most organizations invest heavily in their security, with everything from IT protection to physical security, such as door passes. For example, a business is not likely to allow just anyone to have access to the database where their customer data is stored and they would have procedures in place to ensure that a rogue developer cannot add malware designed to steal customer passwords, credit card information or login details.
The challenge is, however, that many of the technologies used on that same organization’s website would be sourced from third parties who may have no such security. While an analytic tracking library from a major search engine could be trusted, some libraries could be from open source projects created as part of a college computer science course or stored in a repository which many developers can access or change.
Ensighten can help
Our technologists will work with organizations and identify areas of potential concern with no obligation, regardless of whether they use our technology or not. With online skimming and injection-based attacks in general being relatively unknown, we are happy to talk to businesses if for nothing more than to help educate them on the risks.
Get in contact to book a demo and see our solution in action.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.