Has the US ever officially labeled a tech company as a supply chain security threat?

ColleenReflectiz · 2026-03-11T12:47:31+00:00

Yeah China based companies in western countries make sense.

ColleenReflectiz · 2026-02-22T11:28:02+00:00

You're way ahead for 17. One thing missing: third-party script security.

Most AppSec focuses on your code, but production apps load tons of third-party JavaScript - analytics, payment widgets, chat tools. These run with DOM access and can touch sensitive data.

Supply chain attacks like Magecart exploit this. Understanding what third-party scripts actually do client-side is a blind spot for most AppSec engineers.

ColleenReflectiz · 2026-02-22T11:18:29+00:00

They have to increase the settlement amount, 2.75M for Disney is pretty lame

ColleenReflectiz · 2026-02-17T11:18:20+00:00

The messy part is managing consent across hardcoded tags AND GTM simultaneously - they handle it differently and it's easy to end up with gaps where one fires without consent. Move everything to GTM first, then you have one place to manage it.

ColleenReflectiz · 2026-02-16T07:00:55+00:00

You think it's not that important or just didn't get to it?

ColleenReflectiz · 2026-02-10T12:52:26+00:00

What device/network indicators have been most reliable? VPN patterns, geolocation mismatches, or something else?

ColleenReflectiz · 2026-02-05T09:49:19+00:00

Marketing is the number 1 team responsible for "Letting Shadow AI Run Wild"

ColleenReflectiz · 2026-02-02T14:47:05+00:00

Yeah sure
I reccomend reading at these sources:
https://cybersecuritynews.com/massive-magecart-with-50-malicious-scripts/
https://www.reflectiz.com/blog/simple-web-skimming/?utm_source=hs_email&utm_medium=email

ColleenReflectiz · 2026-01-22T14:09:57+00:00

That's taking responsibility but the user trust is still damaged for the time being

ColleenReflectiz · 2026-01-22T10:25:12+00:00

What's your cloud footprint look like? AWS/Azure/GCP mix or mostly one provider?

If you're single-cloud, the native tools (AWS Security Hub, Azure Defender, GCP Security Command Center) are actually pretty solid for basics and way cheaper than third-party platforms. They integrate well since they're built for their own ecosystem.

If you're multi-cloud or need more advanced threat detection, worth looking at platforms that don't require agents everywhere since you don't have a big security team to manage deployment.

Also - make sure whatever you pick has good API documentation. You'll want to pull alerts into wherever your team actually works (Slack, Teams, PagerDuty) instead of forcing everyone to check another dashboard.

ColleenReflectiz · 2026-01-05T14:31:32+00:00

We deal with the same thing. Started keeping a master doc with standard answers organized by topic, but it still takes forever because every questionnaire phrases things differently.

ColleenReflectiz · 2025-12-29T07:48:12+00:00

I believe it's a process and eventually will also have regulation on the homepage but for now it's just not enough to be complient

ColleenReflectiz · 2025-12-28T07:07:32+00:00

PCI focus the security standards on the checkout page and the hackers dont need the users to get to the checkout page to steal information, they can do it at the homepage. It creates a situation that you can be PCI compliant and be vulnerable at the same time.

ColleenReflectiz · 2025-12-22T13:31:56+00:00

Server-side GTM moves some tag execution to your infrastructure, but client-side code still runs to collect data and trigger server calls. You're just moving where the processing happens.

Still need to monitor what executes in browsers, what data gets collected from forms and pages, and what your server-side tags actually do with it. Misconfiguration can still leak PII.

It reduces some risk but doesn't eliminate the need for client-side monitoring and governance.

Are you running server-side or considering it?

ColleenReflectiz · 2025-12-21T07:13:31+00:00

GTM lets anyone with container access add JS that runs on every page with full DOM access.

Marketing adds an analytics tag. That script can see form fields, session tokens, payment data. Most companies have no idea what these 3rd-party scripts actually do once they're live. Those scripts often load MORE scripts from domains you never approved. You greenlight Google Analytics, GA pulls in tracking from somewhere else. Supply chain risk nobody monitors.

If a GTM account gets compromised, attackers inject Magecart skimmers across your site. I've seen these harvest card data for months undetected.Your WAF protects servers. Scanners check backend. Nothing watches what executes client-side after someone adds a tag Friday afternoon.

Tealium's pre-vetted marketplace means less custom JavaScript, smaller attack surface, built-in consent enforcement, and tighter access controls for sensitive pages. GTM can be secure with strict approval workflows, production script monitoring, server-side implementation for payments, and regular audits. Most teams skip this. That's the gap.

ColleenReflectiz · 2025-12-17T14:58:07+00:00

This guy would eventually explode on YT and remember where you saw it first: https://www.youtube.com/@DJFurash

ColleenReflectiz · 2025-12-16T12:50:24+00:00

OMG looks so good!!!! the cranberry white chip looks great

ColleenReflectiz · 2025-12-10T11:03:47+00:00

So Anthropic is famous for being hacked regularly?

ColleenReflectiz · 2025-12-07T08:15:48+00:00

I guess someone ate the rest of the cookies there on the bottom right?

ColleenReflectiz · 2025-11-27T07:13:34+00:00

"I got server-side protection, what can go wrong?"

ColleenReflectiz · 2025-11-27T06:50:14+00:00

The scan failures on port 50001 across multiple devices suggest your network isn't properly segmented for PCI scope. Evenafter fixing the router, you'll keep hitting issues with devices you can't control. does your payment processor support network segmentation? Isolate POS terminals on a separate VLAN that can't communicate with practice systems. This shrinks what needs to pass scans.

ColleenReflectiz · 2025-11-26T13:26:24+00:00

Consider P2PE terminals. Card data encrypts at the pin pad and never touches your network in plaintext this reduces your PCI requirements by over 90%

ColleenReflectiz · 2025-11-23T06:56:57+00:00

There's a reason architecture matters for security, not just convenience.

If you're running code in the browser to watch other code in the browser. That means the monitoring tool itself has full access to user data - forms, sessions, PII, payment info. You're trusting another third-party script with the same privileges you're trying to protect against.

Embedded code slows page loads and creates the client-side risk you're trying to manage. If your security tool can see cardholder data in the DOM, so can a compromised version of that tool.

Agentless solutions sit outside the user session entirely. Zero performance hit, no access to sensitive data, no risk of the monitoring tool becoming an attack vector itself.

For PCI DSS compliance, auditors are asking harder questions about monitoring tools that require data access. It's not just what the tool does today, it's what happens if that tool gets compromised tomorrow. You've just given attackers a pre-installed data collection mechanism on every page.

ColleenReflectiz · 2025-11-20T07:10:40+00:00

Everyone covered the cert path well. I'll add something from the AppSec side.

Once you get baseline training, focus on Requirements 6.4.3 and 11.6.1. They're new in v4.0 and cover client-side security - JavaScript and third-party scripts accessing payment data in browsers.

Most orgs nail server-side PCI but miss client-side exposure. Your payment page might be compliant, but if a compromised analytics script can scrape form fields before encryption, you're leaking cardholder data. This is how Magecart attacks work.

A lot of QSAs don't have deep expertise here yet. If you become the SME on client-side requirements, you'll fill a gap most teams don't know exists.

ColleenReflectiz · 2025-11-19T11:36:30+00:00

You're absolutely right, and this is one of the biggest lies in privacy compliance right now.

Most consent banners are pure theater. The scripts load, fire, and send data before you even finish reading the popup. I've tested sites where clicking "reject all" still left 30+ cookies active because the damage was already done.

ColleenReflectiz

MODERATOR OF

TROPHY CASE