Do you know what’s running on your website?
The Dasient report comes ahead of the company’s scheduled talk at the Black Hat security conference this week, where Dasient cofounder Neil Daswani is set to detail the problem and one potential solution.
“Businesses need to realize that they are dependent on third parties in order for their sites to be secured and at the same time they don’t have direct control over those third-party resources,” Daswani told InternetNews.com.
One solution to the issue is Dasient’s website malware monitoring service, which first debuted last year. Daswani will be speaking at Black Hat specifically about the architecture of the firm’s Mod anti-malware technology, which aims to help prevent malware infection on websites.
Browser vendors have also tried to help mitigate the risk through a number of different techniques. Multiple browser vendors including, Microsoft and Mozilla, have domain-origin policies for their browsers, which are intended to restrict the ability of third-party scripts to execute functions.
“The same origin and domain security policies that are used by the browser are indeed helpful,” Daswani said. “But there are still some problems.”
For example, Daswani said that if an iFrame is used that is pulling in third-party content, the origin policies would restrict the iFrame content from impacting anything else on the specific page. He added that while origin policies are helpful, if the iFrame were to pull in a malicious PDF that invoked the PDF plugin and triggered a buffer overflow, for instance, the attacker could still take control of the PC.
“I’d love for Mod anti-malware to solve all the world’s problems, but at the same time I think it’s important to have different categories of defense coming from different places,” Daswani said. “It is important to look at website malware monitoring as part of a defense-in-depth strategy that works with other complementary services.”