The ticking time bomb in every company’s code
Working in application security sometimes feels like walking a fine line between “business as usual” and “doomsday is coming.” This balance becomes increasingly harder at times like these, when digital acceleration is happening in every sector, outpacing the security controls put in place.
Much of the disruption that kindled this acceleration happened in the Web development and security space. Twenty years ago, the “typical” website was a static page for informational purposes. Today, it’s a dynamic Web app that handles extremely sensitive data and performs critical operations.
Sensitive data continuously passing through almost every website gives attackers a golden opportunity to steal and sell this private information. Unfortunately, such attacks have become wildly successful — and the growth of exposed records keeps climbing. Recent data indicates that the number of exposed records in first quarter of 2020 was 273% higher than in the same quarter of 2019.
By now, those working in application security know that traditional security systems (server-side and network security such as Web application firewalls) can’t prevent data-exfiltration attacks targeting websites. Attackers are taking advantage of a blind spot in client-side security, injecting malicious code into companies’ websites without ever having to breach their first-party servers. And this brings us to the “ticking time bomb”: the Web supply chain.
Benefits and Risks in Code Dependencies
The typical JavaScript development process often relies on open-source components that speed development. This means companies end up using hundreds of pieces of externally sourced code (also known as modules or code dependencies) on their websites. This scenario provides little to no feasible control for companies, and most end up trusting that the modules they use are reliable and secure. Not only that, but these modules may also rely on third-party code, which creates an even more complex chain of code dependencies.
The more dependencies used, the bigger the attack surface and the greater the likelihood that an attacker could gain control of one of the dependencies and inject malicious code into the Web page.
If this concept of Web supply chain attacks seems to resemble the SolarWinds incident, that’s because SolarWinds is a perfect example of how a supply chain attack can reach incredible proportions. So, it only makes sense to wonder whether the Web supply chain will be next.
To read the complete article, visit Dark Reading.