The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Our videos have over 5 million views on Youtube! Visit our channel now »
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

3rd Party Scripts Are Jeopardizing Your Business, Source Defense is Here to Help

Ditsa Keren Updated on 2nd July 2023 Technology Researcher

Source Defense is the first and only company to offer a real time SAAS solution that protects websites from vulnerabilities introduced through the website supply chain. We've interviewed VP Product and co-founder Avital Grushcovski in order to understand what is the problem with third party scripts, and how it can be avoided. Here's what we found.

What is your main objective at Source Defense?

Websites today typically operate with many third-party vendors scripts integrated onto the website.  These scripts are designed to enable rich content capability and provide measures of website performance and efficiency.  These include analytics, advertising, chat services, social media applications, etc. However, they introduce a problem, because they function outside of the website security perimeter, which is focused on the communication between the user and the website server.  This security generally includes firewalls and WAFs which focus on protecting the server-side of the website session.

These third-party scripts operate outside of this security perimeter and introduce a very real client-side vulnerability that is not currently addressed.  These scripts are designed to communicate with remote servers which are managed by third-party service providers, completely external to the organization's security infrastructure. Some of the big names include Google, and Facebook, but many smaller third party vendors offer compelling capabilities that are broadly deployed and enhance web experience or enrich analytics.

Unfortunately, when these third-party vendors are compromised the resultant attacks can, in turn, compromise all of the organizations that have integrated the services of this third-party vendor.  We’ve seen many and recent examples of this attack type including the April, 2018 breach of Delta, Best Buy, Sears and Kmart that originated from the compromised service of a reputable third-party vendor JavaScript they had all deployed on their websites.  A significant volume of credit card data was stolen which has resulted in significant remediation costs and reputational damage to these prominent vendors.

If we consider that the origin of JavaScript has no effect over the level of access it has to the page. That every script can add/remove data from the page, perform unwanted actions and even record keystrokes as the user types them. The lack of control over how JavaScript is designed to function makes third-party JS an increasingly popular attack vector for hackers.

Today’s solutions are focused around “detecting” this problem post-breach. Source Defense has architected an entirely new approach introducing a paradigm shift focused on preventing this type of attack in real-time through a first of its kind isolation and segmentation technology.  Source Defense’s cloud-based SaaS solution allows administrators to assign default or highly customizable policies to every third-party script operating on their webpage.

As an example, an analytics plugin tool can be controlled to ensure it has read-only access to the webpage content.  Should this tool become compromised, the assigned policy permissions, deployed via Source Defense, will ensure that malicious activities like adding unwanted content are prevented. Similarly, an ad service, once protected by Source Defense, will only be able to display ads in their designated areas and not be able to create any malicious phishing overlays.

The Source Defense solution was purposefully built for deployment and administration simplicity. Machine intelligence is leveraged to evaluate deployed third-party scripts and assigns default policies per third party service. Additionally, ongoing administration is extremely low requiring little oversight beyond accepting policies for newly deployed third party scripts.  Machine learning ensures that these default policies are generally effective. However, these policies may be customized if required.

We consider the Source Defense solution as both a compelling security solution as well as a critical business enablement tool.  It allows organizations to quickly and securely deploy third-party tools that enable rich content and capability to their websites.

How has the transition from analog to digital changed the game for financial institutions?

If you look at financial websites ten years ago you'd see few if any, third-party scripts operating on corporate websites. Today, third-party integrations are commonly deployed. The typical bank will have 20-40 third-party scripts operating simultaneously.

Security teams constantly struggle with the challenge of quickly activating the capabilities of these third-party vendors while ensuring the security of the website.

Financial organizations often choose to integrate third-party services onto their websites from well-known and established vendors, because they consider them more secure. This creates conflict between the marketing and security teams because innovative new tools often require extended security validation and jeopardize time to market.

Tag management platforms enable seamless addition of scripts to web pages with a simple user interface. When financial institutions put these tools in the wrong hands the goal of enhancing efficiency may come at great cost due to the exposure to non-validated scripts and tools introduced to organizations.

Financial institutions protected by Source Defense can confidently deploy third-party tools to their websites without exposing their organizations to vulnerabilities introduced by their scripts.  These tools can be implemented quickly and securely.

As blockchain technology is gaining popularity, how would you advise financial entrepreneurs to protect their user data?

Source Defense advises paying increased attention and care to vulnerabilities appearing on the client (browser) side. These developing websites may handle large transactions, and uncontrolled third-party scripts running on web pages can lead to significant losses. My recommendation would be to either implement a solution capable of managing these third-party entities or limit their use as much as possible.

In your opinion, should the Internet be regulated? How?

I don't think the Internet should not be regulated.  However, this answer depends on a discussion of "regulated". There's a great risk that simple regulation will evolve very quickly to censorship. That said, I do believe that there are websites that should be taken down and handled. I wouldn’t have ISPs blocking applications, because that's a very slippery slope.  However, it's clear that some sort of investigative authority should be funded and supported by governments to avoid some of the unfortunate content and transactions that are enabled by an unmonitored Internet.

What can you tell us about Source Defense's future plans?

We're a fast-growing startup with a first of its kind solution that addresses a very compelling and real threat vector that nearly every organization with a website faces today.  Many recent breaches have highlighted the need for this solution. As such, we are engaged in multiple pilots with large multinational organizations and Fortune-500 companies. Our future will see Source Defense expand more deeply into privacy and security, expand integrations and expand support for key compliance requirements like those evident in GDPR.  We will remain steadfast in our core goal of assisting organizations with secure business enablement.

We plan to open our new headquarters in the US and plan to significantly grow operations there in the near future.

About the Author

Ditsa Keren is a cybersecurity expert with a keen interest in technology and digital privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback