Website Supply Chain Security

Gain visibility and control over the third-party services and supply chain of your website

Guide

Read our 15-minute guide to client-side skimming protection

button-read-2

Webinar

Learn how client-side online skimming attacks work

button-watch-300

Video demo

See how Ensighten prevents online skimming attacks

button-watch-300

Case study

Learn how Ensighten prevents data theft for banks

button-read-2

According to several independent studies, most organizations are unprepared today to adequately address supply chain cybersecurity risks. The weak link in your security might lie with partners and suppliers that contribute to your online experiences — your third-party website supply chain. While third-party scripts like ads, analytics, trackers and social media buttons provide great functionality to your website, they can also come with security risks if you do not have the correct website security measures in place.

Read our 15-minute guide to client-side online skimming protection

button-skimming-guide-1

Web supply chain JavaScript vulnerabilities – you are what you include

The website supply chain is a combination of third-party code that comes from technology partners (e.g., ecommerce platform) and third-party service scripts (e.g., analytics, chat bot, marketing). The web supply chain enhances the customer experience by adding important features. Keep in mind, however, that as partner technologies and services are added, so too are thousands of pieces of third-party code – each piece represents an increase in your attack surface. The risk is further compounded when recognizing that many of these third parties have few resources dedicated to security.

A breach on a single third party within your supply chain can covertly send malicious code down the chain into your website and these pieces of third-party code have the same level of content and data access as the code built by your developers.

With the average website using 50-60 third-party components, hackers scour codebases and scripts looking for vulnerabilities and then target any organization making use of them. For example, the hacker group Magecart made its name after finding vulnerabilities in the popular component Magento, used by many thousands of online stores. By injecting rogue script code into this popular library, customer data was siphoned when users visited any of the online stores that utilized the component. This method was used by a Magecart group to steal customer data from Ticketmaster and many other known brands. In the case of Ticketmaster, cybercriminals injected malicious JavaScript code into the firm’s website after compromising a chatbot originating from a third-party customer support company.

web-supply-chain-graph

59%

of companies have experienced a data breach caused by one of their third parties

44%

of organizations say they have no controls in place for third-party suppliers

63%

of all cyberattacks could be traced either directly or indirectly to third-party technologies

Magecart

Operating since at least 2015, the groups have ramped up their activities over the last year or two, using more efficient skimmers and launching more pervasive payment card attacks to target companies like Ticketmaster, Forbes and Newegg, among many others. In fact, researchers uncovered more than 80 global ecommerce websites compromised by Magecart groups in just 2.5 hours of searching. The compromised sites were spread out across the US, Canada, Europe, Latin America and Asia. Moreover, one in five Magecart-infected stores are reinfected multiple times, often within days, according to a report by security researcher Willem de Groot. For example, luxury mattress company Amerisleep was originally breached by Magecart in 2017 and was attacked twice again in December 2018 and January 2019.

web-supply-chain

What are the risks of web supply chain attacks?

The biggest risk of a website supply chain attack is a major data breach. According to the Ponemon 2020 Data Breach Cost Study, the average data breach results in 26,000 records stolen by hackers and fines and recovery costs of $3.86 million. The costs escalate in more highly regulated industries such as Healthcare and Financial Services.

Potential risks include:

  • Identity theft
  • Identity spoofing
  • Privilege escalation
  • Access to unauthorized information or content
  • Loss of reputation and/or business
  • Loss of customer trust
  • Privacy non-compliance and data breach incidents and fines (e.g., GDPR, CCPA)


Aside from the security implications, external third-party technologies, tags and scripts can affect a website’s performance. Even a change to a single line of code by a third-party vendor can increase page load times. Furthermore, third-party tags often call upon fourth-party tags for enhanced functionality and operational capabilities, adding further complexity and risks to your environment.

Steps for a more secure website

Software supply chain attacks can be difficult to protect against but the key to managing third-party technologies and ensuring criminals cannot slip through your security perimeters is to have a holistic overview of your entire ecosystem and understand the dependencies and performance costs created by these services. Your organization should be implementing security best practices, such as a layered approach to protection as well as proactively and regularly updating any out-of-date security devices.

1// Perform regular site scans

Performing a regular site scan to see just what is running on the site and test any new updates to detect any suspicious behavior. Inventory and visibility of third-party scripts alone can decrease the likelihood of a data breach by 46 percent according to a Ponemon Third-Party Risk Study.

2// Observe site traffic

Monitoring site traffic in real-time with real user activity to help identify any suspicious patterns so you can act before any damage can be done.

3// Establish an approved third-party web supply chain perimeter

Allow website interaction with trusted third-party services only – creating an allowlist and a blocklist allows you to share data with trusted vendors.

4// Profile and control data being shared with partners

Audit specific data types being shared with approved partners and eliminate unnecessary and unauthorized (i.e., user consent) sharing of customer and sensitive data (e.g., social security number, payment card information).

Mitigate web supply chain risks through Ensighten

The Ensighten platform enables organizations to inventory and categorize web supply chain partners and establish rules to permit website interaction only with approved partners via allowlists. The platform will monitor client-side browser requests, both web and mobile variants, and block unapproved incoming and outgoing requests. Telemetry is provided to DevSecOps teams to investigate partner and request activity.

In addition to ensuring requests involve only approved partners, the Ensighten platform allows more granular data sharing control to further restrict data types exchanged with approved vendors. This configurable data filtering capability allows companies to enforce user privacy preferences and comply with data protection regulations, such as the CCPA, GDPR and PCI DSS.

The major Ensighten advantages are fast time to protect and comply, ease of use (non-development resources) and ease of maintaining as website changes. Learn more about client-side web security here (link to client-web security solution page).

Watch our webinar on Magecart and web skimming attacks

button-skimming-webinar

Learn more about Ensighten and our solution

icon-shield-blue
Video demo
See how Ensighten prevents client-side online skimming attacks
Watch now
icon-document-blue
Case study
Learn how the Ensighten solution prevents client-side attacks for banks
Read now
icon-lock-blue
Threat intelligence
Learn how Ensighten uses threat intelligence to detect existing and emerging threats
Learn More