GDPR and Third Party JS - Can it be Done?

Presented at Black Hat Europe 2017, Dec. 6, 2017, 5 p.m. (30 minutes).

The European Union's General Data Protection Regulation (GDPR) is set to go into effect in a matter of months, and already it is having a profound effect. Under GDPR rules, companies that collect or store data belonging to EU citizens or entities are required to provide top-notch privacy and security to protect that data; otherwise they could could face huge fines – as large as €20m.

As a result, companies that collect or store data are working to meet GDPR compliance. But some things are out of their control – among them third-party scripts that almost all websites depend upon to provide essential web services. Those scripts are controlled by third-parties, who may not be GDPR-compliant themselves.

Under GDPR rules, they may get fined – but the site that hosted the script is responsible too, and itself could face fines if a hacker compromises those scripts, hijacking data, installing keyloggers, etc. It's far from an uncommon problem; Banks, e-commerce sites, publishers, HMOs, insurance firms, and many others have unwittingly taken on partners whose scripts provide social media, e-commerce, advertising, content, analytics, and more – thus 'owning' their partners' security risks, too.

There have been many attempts to identify these breaches, from isolating scripts inside iFrames to scanning websites remotely using robots, to code review prior to implementation, but none of these have eliminated the problem. We propose a system where the script's actions could be isolated, and executed in an isolated environment before it is allowed to act on a "live" page. A security system would examine the script's actions; if it acts as expected, it is allowed to apply its execution to the actual page, and if not, it remains isolated and the page remains unaffected by its payload. Thus can administrators protect themselves and avoid violating GDPR rules.


Presenters:

  • Avital Grushcovski - VP Product & Marketing, Source Defense
    Avital Grushcovski is a product leader, with a proven track record of delivering out of the box solutions from concept to market and keeping the product in the spearhead of its area. With a rich history of creating and leading professional services teams, He is a strong believer in understanding what the client needs rather than asking what they want. Before co-founding Source Defense, Avital led the product and professional services of two ad server companies, and lead the integration work of multiple startups and technological solutions in a major publisher. Today, Avital leads the product and marketing efforts in Source Defense.

Links:

Similar Presentations: