As business competition grows fiercer, companies are forced to accelerate their digital transformation to remain competitive. Web applications have become the primary way to deliver software as the speed of development and convenience outperformed all other methods available. Software components and libraries are highly reusable and widely available, and so they became commonplace across the whole web supply chain: build pipeline, infrastructure, and so on.
The big issue with these third-party components is they have the same privileges as first-party code. They can harvest any user input, hijack website events and fully modify the behavior of the web page. Companies’ reliance on third-party components creates a mash-up of third-party code, which opens the door to software supply chain attacks, greatly increasing the attack surface of their web applications.
Companies don’t have enough visibility about what code is actually running on their website, which means that there’s a security blind spot that is not being addressed, since traditional security isn’t prepared to tackle (or even identify) these issues.
What makes things worse is that many of these websites are constantly handling very sensitive information like payment card data, social security numbers and private health information. When a user inputs and submits this data on any given website, it will invariably pass through the browser, giving ample opportunity for third-party components to covertly intercept and leak this data. As a result, these data breaches that occur at the browser level often remain active for months before being detected, resulting in heavy penalties for the affected companies.
Solving the complex problem of web supply chain attacks first requires gaining visibility of every third-party component that runs on the website. This allows companies to continuously assess their exposure to third-party risk and closely monitor the behavior of each individual component. Then, companies must be able to prevent these attacks, by gaining control of these components and blocking any potentially malicious behavior such as the leakage of sensitive data.
In this session, attendees will be able to: - Understand how software supply chain attacks work - Become familiar with the concept of client-side blind spot - See first-hand insights of attempted data leaks collected during Black Friday 2021 - Learn how to prevent these attacks and data leakage attempts - See a demo of rogue scripts accessing sensitive data and a new data-centric approach to detect/block them
