I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].
In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.
I'd love feedback and suggestions on how to make it better.
What do you actually do about an alarm? Okay, I just got an email, check there's no release planned, I go through the diff and, oh crap, my customers are being pwned. Now I'm going to have to drop everything and manually disable those URLs until I can contact the maintainer of this service? I guess that's the unfortunate reality when using SaaS.
I'd want a runbook feature so that anyone getting the email has a procedure to:
* check release notes to identify a false alarm
* if not identify which source files the URL is used in
* disable those URLs
* flush caches
* confirm they're disabled
* contact the service provider
* roll back when upstream is fixed
Or something like that. Man, I do not miss ops work.
If they offer you a javascript and it has to change frequently to fix bugs, for instance, they don't want to be bothered with having to coordinate with all their customers to change the subresource integrity tag...
If they offer you a javascript and it has to change frequently to fix bugs, for instance, they don't want to be bothered with having to coordinate with all their customers to change the subresource integrity tag...
In this case, our service could be an alternative.
Pricing seems high to me. A sub $10/month plan that lets someone check 30 files once a day or even once a week would be useful.
Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.
I get relying on 3rd party libraries, but not hosting them yourself and just hoping that the current host never gets sold/owned/etc? That sounds insane to me...
Sounds pretty insane to me too, but I think it is valuable to let people do insane things more securely, as I don't think security concerns are generally a very big deterrent in software development (unfortunately).
And those 3rd party libs can dynamically load other files via script tags. The first level does not even have to change for dynamically loaded scripts to change.
Apart from the "SaaS services" (I mean, are they really services for services?), this seems to boil down to:
"We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...". So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.
That's the premise behind most security software. We can't trust the internet, so download a firewall from the internet to block traffic from the internet.
For now, Guardscript Goal is for the different SaaS services to use it, not for the individual website owners to use it to monitor the JS of SaaS services.
I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].
In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.
I'd love feedback and suggestions on how to make it better.
Thanks!
[1] https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja [2] https://www.zdnet.com/article/hackers-breach-statcounter-to-...
I'd want a runbook feature so that anyone getting the email has a procedure to:
* check release notes to identify a false alarm
* if not identify which source files the URL is used in
* disable those URLs
* flush caches
* confirm they're disabled
* contact the service provider
* roll back when upstream is fixed
Or something like that. Man, I do not miss ops work.
Can you explain what this means?
Check for instance Stripe : <script src="https://js.stripe.com/v3"></script> or Facebook : <script async defer src="https://connect.facebook.net/en_US/sdk.js"></script>
If they offer you a javascript and it has to change frequently to fix bugs, for instance, they don't want to be bothered with having to coordinate with all their customers to change the subresource integrity tag...
In this case our service could be an alternative.
Well many companies that offer you a service don't include the Subresource integrity Tag. Check for instance Stripe : <script src="https://js.stripe.com/v3"></script> or Facebook : <script async defer src="https://connect.facebook.net/en_US/sdk.js"></script>
If they offer you a javascript and it has to change frequently to fix bugs, for instance, they don't want to be bothered with having to coordinate with all their customers to change the subresource integrity tag...
In this case, our service could be an alternative.
Does this include HTTP headers? For instance a yay.js framework that helps people print 'yay' to the console could return:
Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.
Sounds like curl | insmod /dev/stdin level insane
"We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...". So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.
And of course, that also doesn't really apply if you're using an operating system that includes a firewall by default.
You do you though.