Article originally posted on Forbes.
Following the 2020 SolarWinds attack, cybersecurity experts have been focused on educating businesses about protecting their “software supply chain.” It’s an important issue: Most organizations depend on hundreds of third-party applications to drive operations and business processes, and even the most trusted vendor can fall prey to devastating cyberattacks.
While the U.S. government debates updating cybersecurity rules, it’s important to understand that business applications are not the only source of third-party risk. Today, digital apps, news, media, and entertainment sites are built on top of a sprawling digital supply chain that drives user experience (UX). And as it turns out, the digital supply chain can be a bigger source of danger to your employees and customers than your email or internal systems.
To put it in perspective, let’s compare and contrast the dangers of browsing a typical news site like USA Today with the dangers of a SolarWinds-style malware attack. But first, some context to set the stage.
Explaining Digital Third Parties
In the software supply chain, third parties are easy to understand. Software vendors (like SolarWinds) provide a product (Orion) for their customers. Malicious actors can then compromise those customers by compromising the vendor in various ways—in the case of SolarWinds, by injecting malicious code into a legitimate patch or update.
In the digital supply chain, third-party vendors provide code to app developers and webmasters that drive important functions like shopping cart and payment features, chat and customer support, advertising, monetization features, and more. By compromising a digital vendor, malicious actors can access a website or app’s users, track them across the web, deliver malware, misinformation, and more. And it happens more often than you realize.
Browsing A News Site Vs. SolarWinds
For years, news websites have been placing at least one third-party request per user session and at least one third-party tracking cookie. Meanwhile, 80% of websites across all categories are affected by at least one third-party vulnerability.
With these facts in mind, the cumulative risk from browsing a typical news site can outweigh the risk of a traditional digital supply chain attack in many ways. Here are just a few:
1. Low Cost, High Reward
An attack on a major software vendor requires years of careful reconnaissance and preparation that will only pay off if malicious actors evade detection at every step along the way. In comparison, a website attack via third parties requires little effort, with a high probability of reward. If attackers are caught, they can simply change domains and carry on like nothing ever happened.
For example, a year after the Magecart attack was first used to swipe credit cards from over 18,000 websites, the threat actors behind it were still active. In all likelihood, they still are.
2. Always Learning
Malicious actors have one shot to learn everything they can in preparation for a traditional software attack like SolarWinds. On the other hand, third-party code on websites and apps are constantly targeting users, learning from their behavior and adapting to it. Not only does it track you between apps and websites but also across devices.
Malicious third parties can even build a comprehensive profile of your identity through advanced browser fingerprinting, cookies, keystroke monitoring, and emerging techniques like ultrasonic beacon tracking that will remain resilient even as browsers attempt to put a stop to third-party tracking.
3. No Oversight
Compared to traditional app security, very little attention has been paid to the security of third-party code or digital supply chains. Few organizations are even aware that it exists, much less what it does, or how it is targeting their users. If they are, most will employ ineffective JavaScript-based blockers that malicious third parties can easily circumvent.
While most businesses have a dedicated AppSec role at the executive level, most have not delegated the responsibility for scanning or monitoring digital vendors to anyone. At the end of the day, browsing a website without protection from third-party attacks is more dangerous than browsing email without a SPAM filter (at least you have to click on the email, which is not a given if preview panes are in use).
4. Inviting Other Third Parties
Digital third parties can summon other third parties to join a first-party website or application. This leads to a potentially limitless chain of third, fourth and fifth parties that thwart any attempt to maintain an accurate inventory of digital vendors that doesn’t change in real time between user sessions. Furthermore, it means that organizations can’t depend solely on trust: A trusted third party can invite a non-trusted one at any time.
5. Quality Increases Risk
When it comes to traditional software, quality and security tend to go hand in hand. As a vendor invests the time to refine their application for UX, they also invest in AppSec, eliminate vulnerabilities and remove zero-days as they are discovered.
In the digital world, better UX equates to more third parties driving rich media features and a seamless experience. While internet users tend to gauge security by a website’s “sketchiness,” the top Alexa 500 websites have an enormous number of third parties, including malicious ones.
The Silent Killer
It’s not hard to understand why SolarWinds-style software attacks make headlines: On the one hand, they are scary, dramatic and devastating. On the other hand, they are less common than the risks users face from digital third parties every day, and in the long run, they are less impactful.
American adults spend an average of 10 hours per day on digital devices. That is roughly the amount of time your users and employees are being exposed to dangerous third-party code on a daily basis. Like carbon monoxide, it is an invisible but destructive risk—and as time goes on, it will only get worse.
While you work to secure your software supply chain, spare a thought for the third parties in your digital supply chain as well. Ultimately, organizations can only protect their employees and customers by taking responsibility for their online domains and continually monitoring their vendors.