We’re past the point of changing the way that the web works — it is not uncommon for sites to load more than 35 scripts, with over 70% coming from third-party domains. From an information security perspective, we have to acknowledge that what is loaded in the consumer browser is now a team activity, in partnership with our digital marketing colleagues.
This requires three capabilities: observability, risk management and control.
Risk management: Understanding the inherent risk associated with a script and taking the appropriate action. Is it a script that’s known and has been seen many times? Is it novel? What domains is it associated with? Did it recently change? What are its behaviors — is it reading fields, modifying the page’s domain object model, or transmitting data?
To protect their customers’ privacy and their own infrastructure, organizations should continuously monitor site content, identify and analyze the behavior of new scripts, and make informed decisions about whether or not to block them. Website designers should incorporate granular controls over sections of a webpage that collect sensitive customer data, blocking
all unwanted activity such as reading form fields and exfiltrating data.
About John Elliot
John Elliott specializes in regulated security and data protection. He’s represented both Visa Europe and Mastercard on the PCI Security Standards Council and contributed to many of the PCI standards including most recently PCI DSS v4. John has led aviation and financial services InfoSec and data protection functions and has recently embraced the role of Security Advisor at Jscrambler.