There are two common approaches to website security: remote solutions and embedded solutions. Reflectiz has chosen a remote solution that uses a proprietary remote monitoring platform to secure online assets. Reflectiz has opted for remote execution because it is the safest, fastest, and most cost-effective way to provide threat visibility and deliver maximum security to clients. This stands in contrast to other solutions that rely on embedding scripts on customers’ websites — which introduces numerous unmanaged risks and disadvantages.
The Negative Aspects of Embedded Solutions
Here’s a summary of those disadvantages, followed by an in-depth exploration –
Access to users’ data – The embedded script, which is an inseparable part of the website, has access to personal and business data just like the web applications it’s monitoring. Moreover, it must comply with all privacy and information security regulations, which require constant maintenance.
Wider attack surface – The script can serve as a vulnerable point for potential attacks, and its mere presence amplifies the organization’s digital attack surface, thereby increasing the number of attack vectors that need to be handled.
Lack of visibility – Embedded scripts have limited monitoring capabilities, and they can’t monitor iFrames and the code they contain, which is unfortunate because that’s exactly where most trackers and many of the recent web-skimming attacks were initiated from. This technology gap can result in insufficient coverage when utilizing embedded script solutions.
Performance issues – The embedded script is probably affecting the performance and user experience of the website. Any intensive work, such as monitoring all executed code on a given page, will negatively impact performance and will most certainly affect revenue. Moreover, web components are being updated constantly, so you will have to ensure that the embedded security script is still compatible with all of them, which means additional costs.
Book a demo today and see for yourself how Reflectiz can help your organization to always stay protected.
In-Depth Exploration
Let’s take a deep dive and examine the reasons for using a remote website security solution over embedded solutions:
Access to users’ data
Every time a script is installed on a website, it gets access to the page and users’ personal data and activities, which is why we created Reflectiz: to monitor those scripts. Our tools ensure that third-party scripts don’t have access to sensitive data.
The problem with traditional embedded security tools is that their scripts also have access to your website data. With this method, there is almost no way to monitor a website without accessing sensitive information, which means that the script itself must comply with privacy and information security regulations such as CCPA and GDPR. It’s also why the organization is obliged to notify the user about sharing their data with a third-party vendor – which in this case is the creator of the security tool itself. While technically speaking, the script can avoid that data, if it chooses to, it is still under the vendor’s control and not the client’s.
Wider attack surface
Using third-party code to address third-party code security concerns seems self-defeating because the script itself is also a target for attack. A supply chain attacker who gains access to the code will have immediate access to the website and the information it contains.
The SolarWinds breach is a well-known example of attackers exploiting a software vulnerability. In this case, the attackers inserted malicious code into the company’s Orion IT monitoring software, which is used by thousands of enterprises and government agencies worldwide. As a result, the monitoring tool was transformed into an espionage tool.
In the web scenario, hackers will have full access to PIIs and other sensitive inputs via a malicious third-party app, which will be completely invisible to standard security controls like WAF and DAST. The Ticketmaster attack is a prime example of a third-party code provider being compromised and used to inject malicious code. In this case, the provider’s software became the entry point for the attack. The court ruled that the organization, rather than the third-party provider, is responsible for securing users’ personal information. Therefore, if you use a third-party solution and its code compromises your site security, the responsibility falls on you.
In contrast, Reflectiz’s monitoring solution is external , so there is no exposure to this kind of risk.
Lack of visibility
A security script that’s installed on a website can’t access third-parties iFrame components and the scripts they contain. Due to browsing limitations, scripts only have access to their own origin. While this approach was created to increase the security of web components, it also creates limitations for installed JavaScript to provide full security, because those iFrames include trackers, pixels, and multiple unmanaged third-party scripts.
The installed security script can’t map all trackers, discover data leakage or create a working inventory of third-party apps and scripts, therefore critical activities, such as – detecting CVE for JS frameworks, tracking pixels like Meta and TikTok, fingerprinting and tag misconfiguration – are limited because these components are rendered inaccessible.
It’s well worth remembering that a few class-action lawsuits have already been launched against healthcare organizations in response to third-party Meta pixel usage that has sent data from specific areas that require authentication. This requirement also applies to the code responsible for protecting your website, which makes it another compliance headache. Whether it uses iFrames or not, the accountability still lies on the website owner.
Recently, a big financial services company chose Reflectiz for its website monitoring and our solution detected suspicious activity related to the TikTok pixel. The Reflectiz investigation team provided clear mitigation steps to terminate the pixel’s unapproved activity right away. As a result, the company feels confident enough in our service to keep using the new marketing tools and trackers that allow it to address its target audience, safe in the knowledge that it won’t be compromising its website’s security posture.
Performance issues
In order to monitor code on a website, it is typically necessary to install the script in the header section, so that it’s the first component loaded, otherwise it will not be able to keep tabs on any code that was loaded before it. But since it’s the first script to load, it creates a delay, and it can also break other scripts and frames if any code collusion exists between them. Issues can include longer loading times, poor performance, usability issues, and unsupported activities.
Many pieces of research (such as this Walmart research analysis or this Cloudflare summary report) have shown that there is a direct link between load times and website conversion rates. The initial loading time of your website is business-critical. Even a one-second delay can impact revenue by up to 2%.
With Reflectiz external monitoring, no security script is loaded onto the website, so there is no decline in performance or user experience. The only “burden” is a few additional impressions per day.
In addition, a monitoring script needs to be able to cater to all website users, so it must be compatible with all possible hardware and software platforms, which of course are always being updated to new versions. To ensure ongoing compatibility, the organization will need to invest in never-ending updates to its system and third-party components to keep the website safe, and the user experience optimal, and it will also need to verify with the vendor that it supports all the required versions for any new release. This is another cost to consider when you don’t opt for external scanning solutions like Reflectiz.
Book a demo today and see for yourself how Reflectiz can help your organization to always stay protected.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!