The software uses a variety of signals to flag malicious network requests, including a block list of known malware, suspicious memory reads, and anomaly detection. Feature-based machine learning is planned as well. To prevent false positives, newly discovered suspicious events are first analyzed by an analyst-in-the-loop before being marked as malware. To block data exfiltration more quickly, malicious domain names and events matching known signatures can be blocked automatically without an analyst-in-the-loop review.
Header-based content security policies requires reworking much of your existing web app, and take companies up to a year to implement. Further, studies have shown that "99.34% of hosts with CSP use policies" are not implemented properly, and hence "offer no benefit against XSS".
Browser-based CSPs will only report on network requests that violate the CSP, but provide no insight into network requests that do not violate the CSP. Consequently, if the policy is too weak, the CSP won't allow you to audit the historical requests to see what happened and who was affected. You'd be blissfully unaware that you're missing requests you should be stopping.
Even when a CSP successfully blocks malicious data exfiltration, you still run the risk of violating PCI compliance or disclosing sensitive data in the clear, because the CSP violation report might include the extracted sensitive data (like a credit card number) as part of the request url.
By contrast, Enchanted Security can be applied in minutes, automagically blocks malicious network traffic in realtime, and provides complete auditability of all requests, not just those blocked. It uses filters to make sure that credit card numbers are never included in its reporting, so even when it blocks malware sending credit card numbers, you won't accidentally violate PCI compliance like you would with CSPs.
With that being said, if you already have a CSP, we recommend keeping it by using both CSP and Enchanted Security together.
Next, third-party libraries present another security risk. Not all the code served with your website is code written by your company. You likely have many dependencies, like jQuery, React, Bootstrap, or D3. These libraries themselves have many dependencies, as well. You likely also depend on third-party scripts like ads, Google Analytics, Mixpanel, or Optimizely, which themselves depend on many additional libraries. Finally, the CDNs and Github repos that host these libraries are themselves attack vectors.
Insider threats are yet another possibility. There have been cases of employees inserting malicious code into software, outside the company's normal code review controls.
Yes, there are many. Here are a few selected cases showing the prevalence and impact of these attacks.
British Airways was fined over $200 million dollars due to credit card numbers stolen from its website due to Magecart. (Link)
Macy's reported customer credit card numbers were stolen directly off its website due to malware. (Link)
Ticketmaster says third party code is at fault for stolen credit card numbers from website. (Link)
Crypto startup discovers malware in third party library stealing secret keys, hacks itself to save user cryptocurrency. (Link)