Ecommerce: External Script Audit

Posted on 2015-02-20
Last Modified: 2015-03-19
A friend runs an ecommerce company and has asked for some help. The company started small, selling private label fashion, but has now grown rapidly and has a lot of traffic.

Over time his team have implemented many external scripts (tracking pixels, external advertising scripts, third part consumer behaviour scripts etc). He is concerned about how to audit all of these effectively (and on an ongoing basis) to ensure everything is legitimate and none of these scripts are presenting a security concern for his shoppers. Either because it is malicious, or because it is simply doing more with their data than it is supposed to.

What is the best way to go about this? Is there potentially a ‘hygiene code checker’ type module out there for checking remote code before its executed on a client’s machine?

Any advice or pointing at a product/service provider who could help would be much appreciated.

Thanks team!!!
Question by:Roger Adams
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 110

Expert Comment

by:Ray Paseur
ID: 40622368
What is the URL of the site you're talking about?

What's the concern here -- JavaScript or PHP?

Author Comment

by:Roger Adams
ID: 40622399
It's third party javascript primarily, being called from internal ecommerce platform code. The code base has grown so quickly, how does one do the following in a timely manner:
1. Identify all external scripts so they can be reviewed individually and manually?
2. Parse or verify the code in these scripts to ensure there is nothing malicious or customer details are not misused?
3. How can the security team identify and monitor external scripts on an ongoing basis?

Manual review of the code is always an option, and the current solution. But is there a better way?

Thanks in advance
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40622514
It is probably time for a demolish and rebuild
I hope they didn't build there own e-commerce but use a payment provider.  Building a secure payment module is prone to errors and subsequent security problems. using a payment provider removes these security concerns from your site to the payment provider. This also keeps the customers private information off of your site.  Even Steve Gibson of and a security expert uses a payment provider as he did not want the responsibility of keeping his customers data secure on his hosted website.
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.


Author Comment

by:Roger Adams
ID: 40622741
My impression is that the payment module is fine.

He is more concerned about third party scripts that deliver legitimate services. Such as  track user behaviours, display a scroll bar of products down the side, display a product based on what the user might like etc. All of these are provided by legitimate third party companies. The owner of the site is trying to think proactively about possible threats to their shoppers in the future; what if one of these providers are hacked and this trusted script is suddenly modified to serve some kind of malware to shoppers?

Even a rebuild would only give some assurance about what is in place at that moment in time. No matter how well you manually attempt to catalogue things, these ecommerce sites grow at furious rates and within six months it would be a mess again.

Does that make sense?
LVL 110

Accepted Solution

Ray Paseur earned 500 total points
ID: 40622970
Yes, that makes sense.  It's a software "anti-pattern" that can be largely solved with Composer.  Composer allows you to designate the scripts and release levels that your application depends on ("Dependencies") so you know you're always building on a stable code base.  There are similar dependency injectors for JavaScript, and task runners that can build your libraries for you (Grunt, Gulp, etc.)  These help keep your work organized and your dependencies at known, trusted and stable release levels.

For the most part, if you start with trusted components and download your own copies (or serve only from the stable CDNs like Google and Twitter), you will be OK.  If you're unsure about the stability of a script, just make an MD5() digest string from the code (sort of like what GitHub does).  If the md5() ever changes you can flag the code for review.

To your specific questions...

1. Identify external scripts?  No problem if you're using Composer.  Otherwise, begin the task by reading the HTML documents and looking for off-site URLs.  This is a time-consuming task, so prepare to spend a while making the inventory.

2. Verify there is nothing malicious?  Expect there to be malware in anything you're getting from a tainted external source!  Read the source code.  If the code comes from a reasonably popular and well-respected source like GitHub, you've got a fair chance that other people are reading the code, too.  And if there are security holes found in open-source software they are usually patched immediately.  If the code is from third-party suppliers who are not part of the open-source community, you have to trust them.  If you can't trust them, don't depend on them, full stop.

3. Identify and monitor... ongoing basis? Information technology security is a full-time four year college major today.  The threats are always changing and there's no answer you can get in a forum that will keep you protected in the future.  In fact, it you start that college major today, by the time you graduate there will be new threats entering the world and curriculum.  Most installations concerned with security (especially those growing very fast) will have on-staff professionals or will hire a consultancy like PwC or McKinsey to help monitor the ever-changing threats and issues.  If you want the management-level overview, consider joining OWASP and becoming active in their work.

It should go without saying, but I'll say it anyway -- if someone deploys a site that depends on foreign code without understanding exactly what the code does, well, they probably deserve what they're going to get!  If you were thirsty and you found a bottle of unknown liquid would you close your eyes, hold your nose, and drink it?
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40623550
most malware will be inside of your database or via a sql injection when you don't validate all user input.

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question