According to several independent studies, most organizations are unprepared today to adequately address supply chain cybersecurity risks. The weak link in your security might lie with partners and suppliers that contribute to your online experiences — your third-party website supply chain. While third-party scripts like ads, analytics, trackers and social media buttons provide great functionality to your website, they can also come with security risks if you do not have the correct website security measures in place.
Read our 15-minute guide to client-side online skimming protection
Web supply chain JavaScript vulnerabilities – you are what you include
The website supply chain is a combination of third-party code that comes from technology partners (e.g., ecommerce platform) and third-party service scripts (e.g., analytics, chat bot, marketing). The web supply chain enhances the customer experience by adding important features. Keep in mind, however, that as partner technologies and services are added, so too are thousands of pieces of third-party code – each piece represents an increase in your attack surface. The risk is further compounded when recognizing that many of these third parties have few resources dedicated to security.
A breach on a single third party within your supply chain can covertly send malicious code down the chain into your website and these pieces of third-party code have the same level of content and data access as the code built by your developers.
With the average website using 50-60 third-party components, hackers scour codebases and scripts looking for vulnerabilities and then target any organization making use of them. For example, the hacker group Magecart made its name after finding vulnerabilities in the popular component Magento, used by many thousands of online stores. By injecting rogue script code into this popular library, customer data was siphoned when users visited any of the online stores that utilized the component. This method was used by a Magecart group to steal customer data from Ticketmaster and many other known brands. In the case of Ticketmaster, cybercriminals injected malicious JavaScript code into the firm’s website after compromising a chatbot originating from a third-party customer support company.
59%
of companies have experienced a data breach caused by one of their third parties
44%
of organizations say they have no controls in place for third-party suppliers
63%
of all cyberattacks could be traced either directly or indirectly to third-party technologies
Magecart
Operating since at least 2015, the groups have ramped up their activities over the last year or two, using more efficient skimmers and launching more pervasive payment card attacks to target companies like Ticketmaster, Forbes and Newegg, among many others. In fact, researchers uncovered more than 80 global ecommerce websites compromised by Magecart groups in just 2.5 hours of searching. The compromised sites were spread out across the US, Canada, Europe, Latin America and Asia. Moreover, one in five Magecart-infected stores are reinfected multiple times, often within days, according to a report by security researcher Willem de Groot. For example, luxury mattress company Amerisleep was originally breached by Magecart in 2017 and was attacked twice again in December 2018 and January 2019.
What are the risks of web supply chain attacks?
The biggest risk of a website supply chain attack is a major data breach. According to the Ponemon 2020 Data Breach Cost Study, the average data breach results in 26,000 records stolen by hackers and fines and recovery costs of $3.86 million. The costs escalate in more highly regulated industries such as Healthcare and Financial Services.
Potential risks include:
- Identity theft
- Identity spoofing
- Privilege escalation
- Access to unauthorized information or content
- Loss of reputation and/or business
- Loss of customer trust
- Privacy non-compliance and data breach incidents and fines (e.g., GDPR, CCPA)
Aside from the security implications, external third-party technologies, tags and scripts can affect a website’s performance. Even a change to a single line of code by a third-party vendor can increase page load times. Furthermore, third-party tags often call upon fourth-party tags for enhanced functionality and operational capabilities, adding further complexity and risks to your environment.
Steps for a more secure website
Software supply chain attacks can be difficult to protect against but the key to managing third-party technologies and ensuring criminals cannot slip through your security perimeters is to have a holistic overview of your entire ecosystem and understand the dependencies and performance costs created by these services. Your organization should be implementing security best practices, such as a layered approach to protection as well as proactively and regularly updating any out-of-date security devices.
1// Perform regular site scans
Performing a regular site scan to see just what is running on the site and test any new updates to detect any suspicious behavior. Inventory and visibility of third-party scripts alone can decrease the likelihood of a data breach by 46 percent according to a Ponemon Third-Party Risk Study.
2// Observe site traffic
Monitoring site traffic in real-time with real user activity to help identify any suspicious patterns so you can act before any damage can be done.
3// Establish an approved third-party web supply chain perimeter
Allow website interaction with trusted third-party services only – creating an allowlist and a blocklist allows you to share data with trusted vendors.
4// Profile and control data being shared with partners
Audit specific data types being shared with approved partners and eliminate unnecessary and unauthorized (i.e., user consent) sharing of customer and sensitive data (e.g., social security number, payment card information).
Mitigate web supply chain risks through Ensighten
The Ensighten platform enables organizations to inventory and categorize web supply chain partners and establish rules to permit website interaction only with approved partners via allowlists. The platform will monitor client-side browser requests, both web and mobile variants, and block unapproved incoming and outgoing requests. Telemetry is provided to DevSecOps teams to investigate partner and request activity.
In addition to ensuring requests involve only approved partners, the Ensighten platform allows more granular data sharing control to further restrict data types exchanged with approved vendors. This configurable data filtering capability allows companies to enforce user privacy preferences and comply with data protection regulations, such as the CCPA, GDPR and PCI DSS.
The major Ensighten advantages are fast time to protect and comply, ease of use (non-development resources) and ease of maintaining as website changes. Learn more about client-side web security here.
Watch our webinar on Magecart and web skimming attacks
Learn more about Ensighten and our solution

Video demo

Case study
