Website Risk Analyzer Finds Threats in Your Third Party Code
PerimeterX recently released a free scanner to help you quickly assess script-related security risks in your web applications. If you want to skip the details and check it out right now, click here. Or keep reading for more detail on why script-based vulnerabilities are so common and how to address the issue long-term..
As experienced security professionals, most of you are familiar with the security axiom “you can’t protect what you can’t see.” Maintaining line-of-sight into your web applications environment is the foundation for implementing effective security controls and remediating risks before they are exploited.
Visibility into the security risks within public-facing web applications is a particular area of concern for security teams for two reasons: First, they are a very commonly targeted attack surface by bad actors for digital skimming, formjacking and Magecart attacks. Second, many development teams rely heavily on third-party scripts and open source libraries such as React and jQuery in order to deliver new application functions quickly.
However, as the code that enables this increased velocity is not developed in house, application developers do not have full visibility into all the actions and external domains accessed by these scripts in runtime. Nevertheless, the scripts are assumed to be trustworthy and often incorporated into the web app without going through full code reviews or security validations, resulting in what we call “shadow code.” This security blindspot is a goldmine for cybercriminals, who search for vulnerabilities in open source libraries to inject malicious code.
In fact, shadow code is so widespread, Web Almanac found more than 4 out of 5 of the web’s most popular sites use a JavaScript library or framework with at least one known security vulnerability. And Osterman Research’s 2020 Application Security Risk Survey found that 92% of website and security owners (Read more...)
*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: https://www.perimeterx.com/resources/blog/2021/website-risk-analyzer-finds-threats-in-your-third-party-code/
