Comments by: Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group
Since a normal visitor to a website really can’t determine legitimate from malicious, it’s up to the website operator to have rigorous controls in place to ensure that what they are running is what should be running. In other words, are the files present on the web server trusted? Assuming all files are vetted and start out in a trusted state, if at any point someone or something can modify it, then that’s also a point when an attacker could compromise the file.
Defending against such an attack requires both a vetting and verification process up-front as well as a threat model for the lifecycle of each file.