HUMAN Blog

5 Risks of Client-side Supply Chain Code

Web developers rely on third-party code and open-source libraries to quickly add functionalities to their site. In fact, over 99% of websites use third-party code in the form of social sharing buttons, advertising iframes, payment iframes, chatbots, analytics scripts and A/B testing scripts to create frictionless experiences for their users.

In order to function, third-party code must be granted access to your apps and data, including the power to modify, remove and create alternative site assets — and cybercriminals know it. They target vulnerabilities in this code to carry out digital skimming, PII harvesting and other client-side supply chain attacks.

Third-party Problems

If a cybercriminal conducts a successful supply chain attack against your site, the consequences for the business can be severe.

1. Regulatory Fines

Data privacy regulations — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Act (CPRA) — hold online businesses accountable for safeguarding consumer data. The CPRA specifically provisions that digital businesses that expose the data of California residents will face possible fines of $7500 for each intentional violation of user privacy and $2500 per violation for those that are deemed unintentional.

Governments are serious about enforcing such legislation. British Airways was fined $229 million for a Magecart attack that harvested personal and card information from over 400,000 British Airways customers, though the amount was later reduced.

2. Lawsuits

Unsurprisingly, consumers don’t like it when their personal information is exposed. Users might file lawsuits against companies that leave them vulnerable to identity theft, and brands are liable for any data breach on their site — even if the cause was an attack on a third-party library. U.S. retailer Hanna Anderson paid $400,000 to settle a class action lawsuit following a Magecart attack on their website.

3. Damage to Reputation

Consumers are more likely to make purchases on websites they trust and respect, but one data breach can undo all the good will a company has built up. Once trust is violated, it’s hard to get back. Almost 60% of consumers won’t buy from a company who has experienced a data breach in the past year. This includes your existing customers and potential customers who are turned off by media coverage of the incident.

4. Profit losses

All in all, falling victim to a data breach will harm your company’s bottom line. Fines, legal fees and payouts, lost customers and lower stock value all cut into profit margins and hinder your ability to grow. It’s estimated that 60% of small businesses that suffer a data breach will go bankrupt. Larger companies will likely make it through, but there will be scars.

5. Impaired website functionality

An attack on third-party code can negatively affect business continuity and limit your ability to deliver specific functionalities on your site. Furthermore, your security team may need to shut down some operations in order to discover what has been stolen and how. This frustrates customers, leading to loss of revenue and a competitive disadvantage.

Why Risky Code Is Easy to Miss

More than 90% of website owners lack complete visibility into third-party code, which makes it difficult to catch and fix risky scripts. Here are a few reasons why:

  • Third-party code runs on the client side, meaning it loads on your users’ browsers outside of the purview of your web controls.
  • Vendors who supply third-party code often calls on 4th- 5th, or Nth-party libraries, which lengthens your supply chain, sometimes without you knowing it.
  • Third-party code may change without you knowing it, introducing new risks that you’re not aware of and rendering initial security reviews obsolete.
  • Developers may introduce third-party code without going through appropriate security reviews, prioritizing speed over a thorough security process.

How to Manage Your Risk

Gaining real-time visibility and control into third-party scripts and open-source libraries can help companies avoid a data breach without sacrificing the benefits that such resources provide.

Here are some best practices to manage your risk:

  1. Set up an agile notification and approval process for third-party scripts or libraries used in your applications.
  2. Use code analysis and external scanners to detect risks early in the development cycle.
  3. Enable Content Security Policy (CSP) and granular JavaScript blocking to prevent malicious code injections from loading and prohibit data transfer.
  4. Invest in a client-side application security solution that provides continuous real-time visibility and control over all scripts running on your website.

Implementing a comprehensive web app security platform will safeguard your customers’ data, ensure privacy compliance and maintain your brand reputation. Learn how HUMAN Code Defender can help!