Client-Side Security: You Can Delegate Authority But Not Responsibility
By Source Defense
There’s an old saying that leaders can delegate authority but not responsibility. That remains relevant and true in the digital supply chain. Companies can give their supply chain partners authority to operate on their websites, but responsibility for what that 3rd, 4th, and 5th-party code is doing ultimately rests with your internal security team.
Security practitioners struggle to keep up with the volume and pace of cybersecurity incidents, are overwhelmed by alerts and false positives, are distracted by new and evolving compliance requirements and are under pressure to show value to business peers. But the corporate website—often the centerpiece of the enterprise revenue model—presents a structural security risk that could mean the difference between business success and failure.
In the browser, client-side processes are almost always written in JavaScript. According to our team’s latest intelligence, there are more than 1.7 billion public-facing websites worldwide, and JavaScript is used on 95% of them. Frontend JavaScript code has grown in size by more than 347% for desktop and more than 593% for mobile during the last 8 years and keeps growing.
And therein lies the structural security issue that poses one of the biggest threats to your most critical business channels—protecting your customer data at the point of entry. Javascript is used by all of your 3rd party digital suppliers, including payment card processors, advertising networks, social sharing services, analytics, and more, and it sits outside your security perimeter and is vulnerable to a wide range of attacks.
How Much Do You Know About Your 3rd Party Attack Surface?
As a security team, if you still aren’t convinced that taking action to secure client-side transactions like payment card entry is an immediate necessity, the latest release of the Payment Card Industry Data Security Standard (PCI DSS version 4.0) has decided for you.
PCI DSS v4.0 section 6.4.3 states explicitly in its guidance that payment page scripts that are loaded and executed in the consumer’s browser must be managed as follows:
- A method is implemented to confirm that each script is authorized.
- An inventory…
