3rd-Party Scripts are Risking Your Online Operations, Source Defense Co-Founder Explains

Every commercial website includes dozens of third-party integrations that help it grow and maximize its business potential. Unfortunately, these third-parties introduce a client-side vulnerability that leaves websites exposed.

Source Defense uses a real-time sandbox isolation technology that prevents malicious activity originating from website supply chain vendors. In light of the major shift towards remote work under the COVID-19 pandemic, I asked co-founder and VP PS Avital Grushcovski for his advice as to how organizations can tighten their defenses and keep their online operations secure.

Please describe the story behind Source Defense and it’s evolution so far.

Source Defense is one of the few companies formed in the last 2 years that actually created a brand new market and addressed a problem that was never addressed before. It was founded by my best friend, myself and a mutual acquaintance we knew from a company we used to work at.

Throughout our professional lives, we encountered many problems with third-party scripts. I spent 5 years as a product manager for an ad-tech company called Walla, here in Israel, and was in charge of deploying new products to the website. So I had experience with third-party vendors and third-party Javascript. We’ve learned that a lot of problems come from that specific vector. 

We did a lot of research and found that no one has succeeded or even tried to commercially solve the problem of governing third-party access. We have found a few open-source projects that tried to address this, but with little to no success at all. We decided we’d figure out a way to do it, and then my partner came out with the brilliant idea of applying access policies to JS on the web browser. It sounds very simple because we already have it on our mobile phones, but you were never able to do that on the web. 

We developed a patented engine that allows you to very simply say which of the third-party vendors has the privileges to read the page or write to it. For example, a chat vendor might be able to read the page but it can’t read credit card information, usernames and passwords. Basically customizing specific access policies to each one of the vendors running on your pages. 

At the time, no one knew this problem even existed, which actually made it difficult to raise money at first, because we had to convince investors that the problem actually existed. Four years ago, if you were looking for investors and said I’m the only one doing it, the answer would either be that it can’t be done, or there’s no money in it because there’s no way you are the first. 

And we were the first to create this market. We managed to patent an engine that provides real-time prevention. Our only other semi-competitor was a company that was trying to scan websites by finding vulnerabilities and alerting them that they had a problem. 

Today we are in a very different place. We raised our seed money from JVP and following that we had our A round which included JVP and some major investors from Silicon Valley, including AllegisCyber, which is one of the leading cyber investors in Silicon Valley. It also included Night Dragon, the private equity fund of Dave DeWalt. This is the man who sold McAfee to Microsoft, who found the hack to the white house by the Chinese, and who was Obama’s cyber advisor. So we were lucky to have him not only as one of our investors but also as an advisor. We have a Japanese VC called Global Brain, which is a subsidiary of Softbank.

Currently, the company comprises 33 employees, 6 of them are in the US and the rest are in 2 office locations here in Israel. 

Below are some screenshots from the Source Defense dashboard:

What are the most fundamental factors to consider when building a cybersecurity strategy for a digital business?

Firstly, it’s very easy today to protect your backend by simply relying on the big players. Meaning that if you host your services on one of the big cloud services like Google, Amazon, Microsoft, and so on, you are already behind many levels of security. You can easily add a WAF vendor, and as long as you do your architecture correctly you’ll be ok. 

That being said, what many organizations have failed to do is making sure to have the correct procedures that will keep their product and work environment secure, and I think that’s one of the easiest ways to breach an organization today. Obviously, looking at our avenue, something that a lot of organizations have not come to realize is that you have to put resources for securing what’s happening on the client-side because the client, as of today, is a 100% unsecured environment. It’s completely beyond our security perimeter and is today the hackers’ playground. Don’t take my word for it, take Symantec’s who named this as the number one cybersecurity threat for websites as of February 2019. It was the first time anything went beyond ransomware in 5 years. 

We need to try to build global practices and solutions around the client-side because that is not going to be provided by your cloud vendor. 

Service-wise, every company that is not a huge corporation should not put any resources into trying to create their own services and their own security today, because they’re just not going to have the same budgets.

How do you balance the ever-growing conflict between security and usability?

Honestly, security reached usability. The key is to stir up the right solution. Especially when you try to close a gap that has been closed a long time ago, you will have a lot of players in the market. I wouldn’t necessarily say that going for the biggest player is the best option. 

I would try to look for the most innovative vendor. Zoom is a good example, not security wise but definitely in terms of usability. If you look at web conferencing, the biggest players were GoToMeeting Cisco WebX and so on. Zoom was a small, new company that came out of the GoToMeeting development team who said, we can do this better. As far as usability goes, they are indeed a lot better. 

Finally, make sure you select the right platforms, and that those platforms can integrate well with each other inside your work process. I would advise you to go externally and consult with an expert that will analyze your work processes and requirements and customize the tools you need for you. Don’t try to bend your work environment towards the tools you are using. 

What are some security focal points organizations should pay attention to when choosing which third-party platforms to work with?

That’s an interesting question. On the one hand, you would expect that the smaller the company the more risk it will introduce, which makes sense because they have no security budget. 

But if you look at attacks in the past 2 years, a lot of those companies that were attacked were actually fairly large companies. The bigger the company the more attractive it is to the attacker. When you attack a third-party tool, you attack all their clients, so the bigger they are the more money they make for you. 

Because these attacks are very hard to find, it is very likely to select and deploy a tool that has been hacked 2 years ago and they still don’t know it. If you look at the hack on Ticketmaster UK, that hack was found in June 2018. After they looked through their history they found out the same threat had been active for 3 years before it was discovered, and that was one of the top five chat vendors in the world. 

So I don’t think there’s a way to say, I will select this product because it’s more secure. It’s obviously more secure if you can host the third-party locally, but most tools and services will not work like that. Even if you do host locally, you have no way of knowing if the local deployment was compromised because those JS are very hard to detect.

The best approach is combining a few different solutions. There are open source solutions that help secure your browser with content security policies and integrity policies. If you can’t afford to build your own tool, try combining some of these solutions together, but keep in mind some of them are very hard to manage. The perfect solution will always be a combination of several technologies. 

How has COVID-19 affected your business and industry?

It’s still hard to say. My assumption is that COVID-19 is going to have little to no negative effect and possibly even a positive effect, because I expect the next 12 months to be very focused on eCommerce, meaning online security will get a higher priority for organizations. Source Defense is still the top player in an area where there’s not a lot of competition. Even the competition we do have is all using existing, coerce solutions, and we have patented technology. I expect to have a very good impact. That being said, we are very focused on large enterprises. Most of our clients are fortune 500 companies or higher. So it takes them a while to change their focus. We are one of the lucky ones. 

How do you envision the next 10 years in website Security?

I assume we’ll have a lot more competition. I assume that all commerce websites will have at least one client-side protection measurement. I’m positive this is going to be a standard requirement of any PCI compliance and probably most privacy compliance regulations. 

Anything you can steal from the server you can steal from the client. Both the organizations in charge of regulations and website owners have already figured this out, it just takes them a while to move. The PCI has already issued a warning of the risks imposed by third-party JS for vendors, open-source codes, libraries, and so on. It’s simply a matter of time before this is established. So overall, I’m pretty sure this industry is going to be located very high on the spend of any transactional website.