Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Auditing Archives: The Case of the Evil Java Script

  • 324 views
Published

Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., …

Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page).

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
324
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Auditing Archives Series The Case of the Evil JavaScript
  • 2. Business background Small ecommerce parts dealer hired third party analytics expert to track site statistics.
  • 3. Business background Included third party’s JavaScript on all website pages, including customer checkout page. Script dynamically loads from third party servers each time page loads.
  • 4. What is included JavaScript (or included code)? JavaScript is programming script language used when writing a website that interacts with a user’s browser. These scripts can be written by company developers or included from external web sources.
  • 5. How hackers could get in Cybercriminals could successfully hack third party server that hosted analytic JavaScript. They could rewrite the script so it would secretly search for and access any information contained on or entered into web pages it was included on.
  • 6. How hackers could get in Malicious JavaScript could copy payment information each time a customer entered a credit card on the small parts dealer’s checkout page.
  • 7. What the business did wrong Dynamically including third party JavaScript on a page that accepts sensitive information (e.g., login pages, payment pages) is not a secure practice.
  • 8. What the business did wrong Ecommerce merchant should have requested assurance from third party of strong server security and constant checking of scripts to ensure they are not modified.
  • 9. What the business did wrong Don’t assume the third party is responsible. Remember, anything written or included on a merchant’s ecommerce website is their own responsibility.
  • 10. SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for businesses of all sizes Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs