What is software supply chain risk?
Most web apps are built with and depend on numerous third-party libraries and frameworks. What happens if one of those packages gets compromised? Would you know?
- Consumer credit card numbers remain a lucrative target for hackers. Magecart style malware aims to silently steal credit card details from consumers during the checkout process on popular online commerce sites.
- Since many crypto currency transactions are difficult to trace back to bad actors, hackers often try to hijack the browsers of unsuspecting users and utilize their processing power to mine crypto currencies.
- Even sites that don't handle commerce transactions can be targeted if hackers are after login credentials for that site. The credentials are then silently exfiltrated to systems owned by the hackers - often via background XHR or WebSocket requests.
- Hackers may try to exploit your users' systems directly either through browser vulnerabilities or by tricking users into downloading or installing malicious software. The system can then be forced to join a botnet for further malicious purposes.
- Hackers may try to exploit lax review policies at ad networks and inject malicious code into ads that appear to function normally. It isn't until the ads go live on the ad network that users are then targeted with the attacker's malicious code.
Use your existing GitHub account
Driftbot uses a headless Chrome browser to visit your site simulating a real user. You can monitor a single page, or record and replay a complex series of user flows and interactions to further mimic real user behaviors on your site. Driftbot runs as a GitHub Action in any public or private repo.
When the bot detects an unknown host, it will create an issue alerting you to the detection. You can then review the details to determine if that host should be considered approved. A full log of third-party connections is recorded in the GitHub Action run logs for future inspection.
You can run the bot on a schedule or trigger it manually, just like any other GitHub Action.
Automated code analysis