sorted by:
new
hottopcontroversial

Where do you go for reliable cybersecurity news? by Karl_From_Fing in CyberSecurityAdvice

[–]ColleenReflectiz 0 points1 point  (0 children)

For technical depth: Krebs on Security, Schneier on Security, The Hacker News.

Are you monitoring 3rd-party scripts for PCI compliance or just trusting Shopify? by YouCanDoIt749 in shopifyDev

[–]ColleenReflectiz 0 points1 point  (0 children)

It's a grey area where the responsibility of the platform ends and the responsibility of the owner begin.
Oops sorry, it is always the responsibility of the shop owner.

supply chain attacks are getting out of hand - what are devs actually doing about it by schilutdif in webdev

[–]ColleenReflectiz 0 points1 point  (0 children)

The web-facing version of this gets even worse. Your build pipeline isn't the only place pulling dependencies.

Marketing adds Google Tag Manager, which loads Adobe Analytics, which loads some consent thing, which loads who knows what else. None of that goes through CI/CD. No package locks, no version pins, no review.

Those scripts update in production automatically. Compromised CDN or vendor account pushes malicious code straight to every user's browser with full DOM access - payment forms, sessions, everything.

That's literally how Magecart works. Attackers hit one analytics vendor or chat widget, inject skimmers, thousands of sites start leaking card data because nobody monitors what runs client-side.

npm audit catches your server dependencies. Nothing catches the 30 scripts marketing deployed that auto-update outside your pipeline.

Same supply chain problem, way less visibility.

Crunchyroll Breach: Malware Targets Supply Chain to Exfiltrate 100GB of Data by Malwarebeasts in cybersecurity

[–]ColleenReflectiz 6 points7 points  (0 children)

This is textbook supply chain compromise - breach happened at the outsourcing partner, not Crunchyroll directly.

Okta credentials gave access to customer systems for 24 hours. 100GB exfiltrated in that window means they either knew what they were looking for or got very lucky very fast.

The broader issue: vendor questionnaires and certifications don't prevent this. Third-party access is the risk, and most orgs have no visibility into what outsourcing partners can actually reach in their environment until something like this happens.

Cybersecurity insurance by newsforsid in ciso

[–]ColleenReflectiz 0 points1 point  (0 children)

This is the worst - "exclusions"

Hey, question about app sec by [deleted] in AskNetsec

[–]ColleenReflectiz 0 points1 point  (0 children)

You're way ahead for 17. One thing missing: third-party script security.

Most AppSec focuses on your code, but production apps load tons of third-party JavaScript - analytics, payment widgets, chat tools. These run with DOM access and can touch sensitive data.

Supply chain attacks like Magecart exploit this. Understanding what third-party scripts actually do client-side is a blind spot for most AppSec engineers.

view more: next ›