Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive. By Simon Wijckmans, CEO
and founder of c/side
In 2025, organizations vulnerable to
cyberattacks that exploit third-party scripts will finally flip the script (so
to speak). This long-overdue shift will secure client-side browser activity
against risks that currently leave companies exposed.
I predict:
1. A wake-up call to the danger of third-party web script attacks.
Client-side attacks that exploit
third-party browser scripts (which are used to run payment portals, analytics,
chatbots, and all kinds of other website functions) have long been security's
blind spot. Recent incidents have made it clear that organizations ignore these
threats at their peril.
A particularly illustrative and
recent example is the Polyfill attack, which had businesses running
compromised web scripts from February to June of 2024 and ultimately impacted
at least half a million websites. Polyfill is a known legacy open source
service used to bring modern JavaScript functionality to older browsers. As
modern browsers rendered Polyfill largely obsolete, thousands of sites continued to link to the Polyfill site
and load its third-party script with every user visit.
Even after alerts went out that
Polyfill[.]io came under new ownership, countless security teams (likely
oblivious to client-side threats) continued allowing Polyfill scripts to run
without verifying or overseeing their actual behavior. In June, c/side was
amongst the first cybersecurity companies to discover that those scripts were
redirecting a percentage of users to sites with illicit and gambling content.
The scary part is that those obvious redirects may have masked much more
nefarious activity, such as stealing customers' logins, personal data and
payment card information. Because security teams had a blind spot to the danger
and no script monitoring in place, they now have a blind spot to the full
consequences of their failure.
The Polyfill attack is just a single
example. So-called "Magecart attacks," which exploit third-party scripts to
steal customer data from businesses using Magento ecommerce frameworks,
affected untold thousands of customers in the past year and even major
companies including Cisco. 2024 also saw healthcare giant Kaiser Permanente expose the browsing behavior of 13.4 million customers to
third-party vendors due to mismanaged scripts.
These high-profile demonstrations of
third-party script risks will push more security teams to address those threats
in 2025. Teams will increasingly embrace dedicated strategies and tools
designed specifically to provide visibility into script behavior, as well as
anomaly detection and mitigation.
An issue: attackers can utilize
compromised third-party scripts to send different web server responses with
each website request, making nefarious activity invisible to traditional
security strategies. To solve this, security teams will implement new capabilities
that can continuously monitor all the third-party scripts running on their
websites and users' browsers in real-time, analyze full script payloads, and
disallow malicious code before it can execute. That transparency will transform
security outcomes in the next year, turning a blind spot into an area of
strength for businesses prioritizing these protections.
2. New PCI DSS mandates force businesses to get serious about securing
third-party payment portal scripts.
PCI DSS v4.0.1 includes two new
mandates (6.4.3 and 11.6.1) that put businesses (and that accepts payments on
their site) on the clock to add tamper-detection security capabilities to their
sites by March 31, 2025.
Regulators are making tamper
detection mandatory because exploits in third-party scripts used in payment
portals are currently responsible for a majority of credit card skimming
incidents. For example, those prevalent Magecart attacks include making changes to payment
page content as displayed in browsers, such that clicking the payment button or
just submitting the form will send a copy of the user's personal and card
information to attackers.
With PCI DSS clamping down on these
threats, security teams will take the opportunity to not just meet the letter
of the compliance mandates by securing payment pages, but to use the same tools
to monitor and mitigate script-based threats across their entire sites.
Businesses that practice holistic strategies to secure customer activities from
the moment they arrive on the site will be that much more effective in ensuring
that no exploits along the customer journey can result in data exposures.
3. Third-party script security will increasingly utilize AI and LLMs to
achieve more capable threat analysis, optimizing protections.
As it has in so many fields, AI
technology will have a transformative impact on client-side script security. In
2025, the limitations of static security strategies such as threat feeds,
content security policies, traditional behavior detection and web crawlers will
appear painfully antiquated in comparison with what AI brings to the table.
LLMs can now comprehend JavaScript
code and provide valuable insights. Those capabilities will only improve into
2025, enabling ever-better real-time analysis of third-party scripts. The AI
currently available to vet scripts and deny malicious code from ever reaching
users is already a game changer for security teams. AI tools that descend from
today will become absolutely standard across industries and security teams,
maybe as soon as 2025.
Now you see me
Attackers have turned client-side
third-party script security from a blind spot in 2024 to a spotlight issue for
businesses in 2025. Regulators like those behind PCI DSS won't allow
complacency to continue. Given the effective new tools and strategies now
available and the promising advances on the horizon, businesses will have every
motive and opportunity to lock down client-side risks and ensure safe browsing
for their customers.
##
ABOUT THE
AUTHOR
Simon Wijckmans is the CEO and founder of c/side, a cybersecurity company focused on browser-side threat
detection and protection. Previously, he held product management roles at
Cloudflare and Vercel.