Instart Logic Blog How to effectively control third-party JavaScript tags to reduce security risks

By Andy WyattMay 30, 2019The average website uses at least 30 different third-party scripts or tags to power live chat, dynamic content, and gather user data. These enhancements are a turnkey way for businesses to improve the profitability of their website, but they can also offer backdoor access to cybercriminals.In 2018, Magecart groups covertly hacked Ticketmaster, Newegg, British Airways, and others. In the case of British Airways, hackers stole the credit card information and personal details of more than 380,000 passengers in just 15 days.Why third-party tag behavior is a security riskCybercriminals use third-party code as a gateway into otherwise secure websites. These scripts and tags have the same access to data and resources as your own code when executed in the browser. Unfortunately, third-party scripts are exempt from the security controls your first-party code must pass through because of the Same-Origin Policy. In other words, anything your own code can access, a third-party script can access as well - including customer identity, credit card information, passwords, etc. Also, because third-party code does not run through your internal infrastructure or security controls, a security breach can remain undetected for weeks.Online businesses rely on third-party code to stay competitive, but they run the risk of an expensive, reputation-ruining security breach. More than 77 percent of websites have at least one known JavaScript vulnerability, and 1 in 13 online requests lead to malware. Yet, the majority of organizations (69 percent), don't believe their anti-virus software is capable of blocking the threats they're seeing.How to protect customers and your businessConsumers are skeptical about online security. Almost 40 percent of US internet users believe buying online puts them at the greatest risk for identity theft or fraud. The same survey also found 48 percent expressed loyalty to companies they trust to protect their personal data. Trust is the key to success in a competitive online marketplace and that means protecting customers from malicious attempts to skim sensitive information.Removing all your third-party tags is one solution, albeit impractical. The best defense is to limit the information third-party scripts can access, but developing a first-party solution is a heavy lift for your internal team and the web page itself. Even Content Security Policy (CSP) and Subresources Integrity (SRI) policies could allow sensitive data to be exfiltrated from the browser. A previously whitelisted domain could become infected, or your SRI policy could hash an infected script. On the flipside, approved third-party code could cause parts of your website to break by trying to (legitimately) communicate with a non-whitelisted site.Control web security and performanceWith Instart Tag Control, you can use third-party tags without losing control over website performance or security. Instart Tag Control prevents third-party services from accessing sensitive data and allows you to re-prioritize or disable tags that negatively impact website performance.The average website dispenses 401kb of JavaScript that increases page load time by 6.77 seconds. Instart Tag Control allow you to defer slow performing tags and scripts as they are assembled in the browser. If any third-party code performs outside of acceptable bounds, you can prevent them from loading.Some companies use tag managers to boost performance through asynchronous tag loading. Tag managers, such as Google Tag Manager (GTM), work well for this application, but they do not provide protection against cyber attacks. In fact, GTM creates security risks without a solid internal security framework.Instart Tag Control provides you with full visibility into the behavior and impact of your targs, while providing full control that enables you to defer or block scripts as they assemble in the browser or completely restrict unauthorized third-party browser access. This allows you to monitor and limit third-party access to cookies or form fields to prevent the exfiltration of personally information (PII), such as names, passwords, or even credit card numbers.Reduce risk and take back control with InstartThe average data breach costs $3.86 million, according to research by IBM, and 55 percent of businesses fear hidden third-party code is leaking data. The World Economic Forum recently ranked cyberattacks and data breaches as one of the greatest threats of 2019. Hoping and crossing your fingers is one strategy, but preventing third-party access is a proven solution - an attacker can't steal what they can't see.Third-party tags power the personalized experiences modern consumers expect and companies rely on for revenue. Instart Tag Control allows web publishers to harness the power of third-party tags without compromising the security or performance of their websites or web apps.You spend months and years building a reputation, don't let hackers tear it down. Contact us to learn more about securing your business, or download our ebook, How to take back control of third-party tags.SecurityBlog Image: