3 mins read
Content security policies and compliance seals of approval don’t necessarily offer peace-of-mind when third-party scripts are on the page. In fact, many of the websites we’ve identified as compromised by Magecart attacks carry a logo/seal claiming to be secure, so clearly something is not working.
We looked at a random sample of ecommerce site homepages and found an average of four different third-party scripts on each. The security posture of all of these websites is reliant on the security of any one of these third parties – which demonstrates how simple it would be for an attacker to monitor high-traffic sites and choose a common denominator to economise an attack.
Looking for vulnerabilities that will affect your customers could pay dividends, whether they’re hosted in your infrastructure or not. When next year’s Apache Struts vulnerability comes out, a quick email to your suppliers that you know are using it might be the thing that saves yours and many other people’s payroll records from landing in the wrong hands.
Leading organizations are already doing this – Google’s Project Zero team continuously researches vulnerabilities in the technologies Google customers use because ensuring their customers are secure makes business sense to Google.
What impacts your customers? What do they rely on? And what can you do to enhance the security of those technologies?