Comments by: Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group

Each programming language has its own paradigms for how code is executed, and for languages like JavaScript, all that’s required is the file. This means that if anyone is able to replace a legitimate version of a file, such as the jQuery Migrate plugin, then they are able to attack anyone who executes the code in the file.

Since a normal visitor to a website really can’t determine legitimate from malicious, it’s up to the website operator to have rigorous controls in place to ensure that what they are running is what should be running. In other words, are the files present on the web server trusted? Assuming all files are vetted and start out in a trusted state, if at any point someone or something can modify it, then that’s also a point when an attacker could compromise the file.

Defending against such an attack requires both a vetting and verification process up-front as well as a threat model for the lifecycle of each file.

Mark Ko

Mark Ko

Besides tech, I love chicken rice. Point me in the right direction and I'll go and try it. :)
One Identity Offers Free Security Risk Assessment to SolarWinds Customers and Free Safeguard for Proactive Privilege Defense Previous post Snyk Advances Developer-First Security with Series E Investment
Next post The US government may mandate software vendors to disclose breaches under new order – Synopsys

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: