The Cyber Threats of Third-Party Features
An organization’s web presence has become the primary point of contact between them and their customers. Instead of using the phone or visiting a brick and mortar location, customers visit a web page to ask questions, shop, and make purchases. This has enabled many organizations to scale dramatically, yet it also creates an environment where threats to an organization’s web presence can have significant impacts upon their ability to do business.
Many organizations focus their security efforts on ensuring that their own applications are free from exploitable vulnerabilities. However, external factors can also be a threat to application security. Many websites use third-party features, where external content is loaded into a web page to provide certain functionality. This can be a huge asset for an organization since it can provide access to valuable features without requiring in-house development. Yet these features can also be a hole in organizations’ web defenses, leaving them vulnerable to attack.
How Third-Party Features Work
A web page is just a bunch of files that are stored on a web server and provided to users upon request. It consists of a few different types of files, and these file formats are standardized so that web browsers know how to render them to present the same view to the user as the developer intended.
Sometimes organizations want to take advantage of external functionality on their web pages. For example, an organization may want to avoid having to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) and will accomplish this by using an external service to process customer payments. These third-party features are used by having code on the web page that loads and executes script files from another domain. Since these other script files are not written by or under the control of the organization, they can pose significant security risks to the company and the customers making use of its web page. The average large website uses 31 different third-party features, which represents a major security risk.
Breaching Data Through Third-Party Features
Third-party functionality can be extremely useful on a company webpage. The ability to outsource certain functionality can save development time and lessen the regulatory burden on an organization. However, it can also create significant security risks.
For example, many organizations’ websites are designed to use web forms to collect sensitive information from users. This might be personal data collected while a user creates an account with the service or payment card information used for validating a customer transaction. In general, these web forms are designed to send this data to only a couple of different domains that are under the control of the organization.
However, the use of third-party functionality can result in this data spreading much further than the organization intended. In fact, the use of third-party functionality results in form data being sent to an average of 15.7 different third-party domains.
Since web forms are used by 98% of websites to collect personally identifiable information (PII) or financial data from users, this represents a serious threat to security and regulatory compliance. Data protection regulations like PCI DSS and GDPR have strict rules about how personal data collected from customers must be stored and used. The use of third-party features in combination with PII-collecting web forms can result in a data breach and significant penalties being levied against an organization for regulatory non-compliance.
Third-Party Features and Application Security
The threat of third-party features is not limited to the theft of sensitive information entered into web forms. The use of third-party scripts involves having a script embedded in the web page request and run a script from an external server. Since this server is not under the organization’s control, the organization has limited visibility into the script that is being loaded into their page. If an attacker breaches a third party whose content is blindly loaded into an organization’s web page, they could change the code without the organization’s knowledge.
Beyond potentially allowing an attacker access to a user’s account on the site, this could also open up new attack vectors. If certain functionality requires an authenticated user to access and contains vulnerabilities, a malicious third-party feature could give the access necessary to exploit the organization’s web server, with a variety of potential repercussions to the business.
Protecting Against Supply Chain Threats
Any use of third-party functionality in an organization’s supply chain can leave it open to attack. Vulnerabilities inherited from code dependencies can be used to exploit an application. However, code reuse is also considered best practice, if done properly, since it increases efficiency of development and can provide an organization with access to high-quality code implementing complex functionality.
However, the blind use of third-party features can open up an organization’s applications to attack. Securing web applications requires security solutions that can check script code for these potentially dangerous functions and identify suspicious user requests that may indicate account compromise.