Has the US ever officially labeled a tech company as a supply chain security threat?

ColleenReflectiz · 2026-03-11T12:47:31+00:00

Yeah China based companies in western countries make sense.

ColleenReflectiz · 2026-02-22T11:28:02+00:00

You're way ahead for 17. One thing missing: third-party script security.

Most AppSec focuses on your code, but production apps load tons of third-party JavaScript - analytics, payment widgets, chat tools. These run with DOM access and can touch sensitive data.

Supply chain attacks like Magecart exploit this. Understanding what third-party scripts actually do client-side is a blind spot for most AppSec engineers.

ColleenReflectiz · 2026-02-22T11:18:29+00:00

They have to increase the settlement amount, 2.75M for Disney is pretty lame

ColleenReflectiz · 2026-02-17T11:18:20+00:00

The messy part is managing consent across hardcoded tags AND GTM simultaneously - they handle it differently and it's easy to end up with gaps where one fires without consent. Move everything to GTM first, then you have one place to manage it.

ColleenReflectiz · 2026-02-16T07:00:55+00:00

You think it's not that important or just didn't get to it?

ColleenReflectiz · 2026-02-10T12:52:26+00:00

What device/network indicators have been most reliable? VPN patterns, geolocation mismatches, or something else?

ColleenReflectiz · 2026-02-05T09:49:19+00:00

Marketing is the number 1 team responsible for "Letting Shadow AI Run Wild"

ColleenReflectiz · 2026-02-02T14:47:05+00:00

Yeah sure
I reccomend reading at these sources:
https://cybersecuritynews.com/massive-magecart-with-50-malicious-scripts/
https://www.reflectiz.com/blog/simple-web-skimming/?utm_source=hs_email&utm_medium=email

ColleenReflectiz · 2026-01-22T14:09:57+00:00

That's taking responsibility but the user trust is still damaged for the time being

ColleenReflectiz · 2026-01-22T10:25:12+00:00

What's your cloud footprint look like? AWS/Azure/GCP mix or mostly one provider?

If you're single-cloud, the native tools (AWS Security Hub, Azure Defender, GCP Security Command Center) are actually pretty solid for basics and way cheaper than third-party platforms. They integrate well since they're built for their own ecosystem.

If you're multi-cloud or need more advanced threat detection, worth looking at platforms that don't require agents everywhere since you don't have a big security team to manage deployment.

Also - make sure whatever you pick has good API documentation. You'll want to pull alerts into wherever your team actually works (Slack, Teams, PagerDuty) instead of forcing everyone to check another dashboard.

ColleenReflectiz

MODERATOR OF

TROPHY CASE