Ecommerce: External Script Audit
A friend runs an ecommerce company and has asked for some help. The company started small, selling private label fashion, but has now grown rapidly and has a lot of traffic.
Over time his team have implemented many external scripts (tracking pixels, external advertising scripts, third part consumer behaviour scripts etc). He is concerned about how to audit all of these effectively (and on an ongoing basis) to ensure everything is legitimate and none of these scripts are presenting a security concern for his shoppers. Either because it is malicious, or because it is simply doing more with their data than it is supposed to.
What is the best way to go about this? Is there potentially a ‘hygiene code checker’ type module out there for checking remote code before its executed on a client’s machine?
Any advice or pointing at a product/service provider who could help would be much appreciated.
Thanks team!!!
Over time his team have implemented many external scripts (tracking pixels, external advertising scripts, third part consumer behaviour scripts etc). He is concerned about how to audit all of these effectively (and on an ongoing basis) to ensure everything is legitimate and none of these scripts are presenting a security concern for his shoppers. Either because it is malicious, or because it is simply doing more with their data than it is supposed to.
What is the best way to go about this? Is there potentially a ‘hygiene code checker’ type module out there for checking remote code before its executed on a client’s machine?
Any advice or pointing at a product/service provider who could help would be much appreciated.
Thanks team!!!
ASKER
It's third party javascript primarily, being called from internal ecommerce platform code. The code base has grown so quickly, how does one do the following in a timely manner:
1. Identify all external scripts so they can be reviewed individually and manually?
2. Parse or verify the code in these scripts to ensure there is nothing malicious or customer details are not misused?
3. How can the security team identify and monitor external scripts on an ongoing basis?
Manual review of the code is always an option, and the current solution. But is there a better way?
Thanks in advance
1. Identify all external scripts so they can be reviewed individually and manually?
2. Parse or verify the code in these scripts to ensure there is nothing malicious or customer details are not misused?
3. How can the security team identify and monitor external scripts on an ongoing basis?
Manual review of the code is always an option, and the current solution. But is there a better way?
Thanks in advance
It is probably time for a demolish and rebuild
I hope they didn't build there own e-commerce but use a payment provider. Building a secure payment module is prone to errors and subsequent security problems. using a payment provider removes these security concerns from your site to the payment provider. This also keeps the customers private information off of your site. Even Steve Gibson of https://www.grc.com and a security expert uses a payment provider as he did not want the responsibility of keeping his customers data secure on his hosted website.
I hope they didn't build there own e-commerce but use a payment provider. Building a secure payment module is prone to errors and subsequent security problems. using a payment provider removes these security concerns from your site to the payment provider. This also keeps the customers private information off of your site. Even Steve Gibson of https://www.grc.com and a security expert uses a payment provider as he did not want the responsibility of keeping his customers data secure on his hosted website.
ASKER
My impression is that the payment module is fine.
He is more concerned about third party scripts that deliver legitimate services. Such as track user behaviours, display a scroll bar of products down the side, display a product based on what the user might like etc. All of these are provided by legitimate third party companies. The owner of the site is trying to think proactively about possible threats to their shoppers in the future; what if one of these providers are hacked and this trusted script is suddenly modified to serve some kind of malware to shoppers?
Even a rebuild would only give some assurance about what is in place at that moment in time. No matter how well you manually attempt to catalogue things, these ecommerce sites grow at furious rates and within six months it would be a mess again.
Does that make sense?
He is more concerned about third party scripts that deliver legitimate services. Such as track user behaviours, display a scroll bar of products down the side, display a product based on what the user might like etc. All of these are provided by legitimate third party companies. The owner of the site is trying to think proactively about possible threats to their shoppers in the future; what if one of these providers are hacked and this trusted script is suddenly modified to serve some kind of malware to shoppers?
Even a rebuild would only give some assurance about what is in place at that moment in time. No matter how well you manually attempt to catalogue things, these ecommerce sites grow at furious rates and within six months it would be a mess again.
Does that make sense?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
most malware will be inside of your database or via a sql injection when you don't validate all user input.
What's the concern here -- JavaScript or PHP?