T HIR D
PART Y C O N T E N T T HIR D
PART Y C O N T E N T T H E W E AK L IN K IN YO U R C H AIN ? T H E W E AK L IN K IN YO U R C H AIN ? S i m o n
H e a rn e
P ri n c i p l e
E n g i n e e r
@
A k a m a i @ S i m o n H e a r n e
A presentation at Akamai DPM Meetup in June 2018 in London, UK by Simon Hearne
PART Y C O N T E N T T H E W E AK L IN K IN YO U R C H AIN ? T H E W E AK L IN K IN YO U R C H AIN ? S i m o n
H e a rn e
P ri n c i p l e
E n g i n e e r
@
A k a m a i @ S i m o n H e a r n e
T H E M O D E R N W E B W O R K F L O W 10 1 T H E M O D E R N W E B W O R K F L O W 10 1 m a k e
s om e t hin g
� t e s t
it
� s hip
it
� . . . p ut
t a g s
on it
� @ S i m o n H e a r n e
W H A T I' V E L E AR N E D IN
5 YE AR S W H A T I' V E L E AR N E D IN
5 YE AR S w e
s e e m
t o ha v e
le s s
c ont r o l t h a n
e v e r &
t he r e
a r e
i n c r e a s i n g l y
m or e
p a r t y
p r o v id e r s @ S i m o n H e a r n e
H O W I T H IN K I C AN H E L P YO U H O W I T H IN K I C AN H E L P YO U 1 .
U nd e r s t a nd
t he
r is k
t h e y
p o s e 2 .
D is c o v e r
&
id e n t if y
p a r t y
t a g s 3 .
H ow
t o m onit or
&
a n d
m e a s u r e
t a g s 4 .
Building
a
b usine s s
c a s e
f o r
t a g s @ S i m o n H e a r n e
@ S i m o n H e a r n e T AGS SERVE BUSINESS GOALS T AGS SERVE BUSINESS GOALS Me a s ur e m e nt
&
An a ly t ic s Ad s
&
R e t a r g e t in g " O p t im iz a t ion "
&
T e s t in g Com m e nt s
&
L i v e
C h a t T a g
Ma na g e m e nt
@ S i m o n H e a r n e BUT WHA T ABOUT THE BUT WHA T ABOUT THE R ISK? R ISK? � �
@ S i m o n H e a r n e RISK 1: RISK 1: C O D E Q U AL IT Y � C O D E Q U AL IT Y �
@ S i m o n H e a r n e 78.7% o f
to p
5 0 0 k
si te s
i n c l u d e
J S
w i th
k n o w n
v u l n e r a b i l i ti e s beta .h ttp arc h iv e.o rg /r e p o rts /s ta te -o f- t h e-w eb # pctV uln
@ S i m o n H e a r n e CRYPTOJACKING CRYPTOJACKING
www.t h eve rg e .c o m /2 018/3 /2 2/1 7147320/c ry p to ja ck in g-8 500-p erc e n ta g e -p o in ts -b it co in -m onero -s p ik e- sy m an te c-s e cu rit y-m ining
@ S i m o n H e a r n e IT HAPPENS TO THE BIGGEST PL A YERS IT HAPPENS TO THE BIGGEST PL A YERS
tw itte r.c o m /n ytim es/s ta tu s/3 95 8547840
@ S i m o n H e a r n e UNINTENTIONAL DA T A COLLECTION UNINTENTIONAL DA T A COLLECTION we b s i t e
t r a c k i n g
i s
a
" s e c u r i t y
d i s a s t e r
wai t i n g
t o
h a p p e n "
fr e ed om -t o -t in ke r.c o m /2 018/0 2/2 6/n o -b ound arie s-fo r-c re d en tia ls-p assw ord -le ak s-t o -m ixpan el- an d -s e ssio n- re p la y-c o m pan ie s/
@ S i m o n H e a r n e XSS VULNERABILITES XSS VULNERABILITES
ra n d yw este rg re n .c o m /w id esp re ad -x ss-v u ln era b ilit ies/
@ S i m o n H e a r n e DIFFERENT RELE A SE SCHEDULES DIFFERENT RELE A SE SCHEDULES H o w
d o
y o u
k n o w
w h e n
i t
c h a n g e s ?
< script
"//s7.addthis.com/addthis_widget.js"
async
</ script
www.a d dth is .c o m
@ S i m o n H e a r n e JUST PL AIN THOUGHTLESS JUST PL AIN THOUGHTLESS
dis cu ss.n ew re lic .c o m /t /d o-n ot-c le ar-t h e-r e so urc e -t im ing-b uffe r/
@ S i m o n H e a r n e C O D E Q U AL IT Y � C O D E Q U AL IT Y � H ow
d o t he y
p r o t e c t
t h e m s e lv e s ? H ow
d o t he y
p r o t e c t
y o u r
c u s t o m e r s ?
@ S i m o n H e a r n e RISK 2: RISK 2: A V AIL ABILITY � A V AIL ABILITY �
@ S i m o n H e a r n e A VAIL ABILITY = USER A VAIL ABILITY A VAIL ABILITY = USER A VAIL ABILITY G o v e r nm e nt
/
I S P
in t e r f e r e n c e Cont e nt
b lock in g
(~ 1 0 %
o f
u s e r s *) R a nd om
is s ue s
(1 %
o f
J S
f a ils
t o
lo a d *)
@ S i m o n H e a r n e DO THEY FAIL GRACEFULL Y? DO THEY FAIL GRACEFULL Y? � 0:00 / 0:06
@ S i m o n H e a r n e DO THEY FAIL GRACEFULL Y? DO THEY FAIL GRACEFULL Y? 0:00 / 0:08
@ S i m o n H e a r n e DO THEY FAIL GRACEFULL Y? DO THEY FAIL GRACEFULL Y? � 0:00 / 0:08
@ S i m o n H e a r n e ARE THEY USING A CDN? ARE THEY USING A CDN? (& IS IT A S GOOD A S YOURS?) (& IS IT A S GOOD A S YOURS?)
@ S i m o n H e a r n e WHA T IS THEIR SL A FOR A VAIL ABILITY? WHA T IS THEIR SL A FOR A VAIL ABILITY? (& IS IT A S GOOD A S YOURS?) (& IS IT A S GOOD A S YOURS?)
Optim izely s u ppo rt p la ns
@ S i m o n H e a r n e A V AIL ABILITY � A V AIL ABILITY � W ha t
ha p p e ns w h e n
t h e y
f a il? H ow
of t e n c ould t h e y
f a il?
@ S i m o n H e a r n e RISK 3: RISK 3: PE R F O R M AN C E
� PE R F O R M AN C E
�
@ S i m o n H e a r n e SELF-POLICING ISN'T GOOD ENOUGH SELF-POLICING ISN'T GOOD ENOUGH
sta tu s.o ptim izely .c o m
@ S i m o n H e a r n e TOOLS AREN'T EQUAL TOOLS AREN'T EQUAL
ora n gevalle y.n l/en /b lo g/9 -a b -t e stin g-t o ols -c o m pare d -o n -s it e-s p eed -im pact/
@ S i m o n H e a r n e RESOURCE TIMING IS THE HERO WE NEED RESOURCE TIMING IS THE HERO WE NEED
http s:/ /w ww.w 3.o rg /TR /r e so urc e -ti m in g-1 /
@ S i m o n H e a r n e RESOURCE TIMING IS THE HERO WE NEED RESOURCE TIMING IS THE HERO WE NEED NO T WITHOUT TIMING-ALLOW-ORIGIN � NO T WITHOUT TIMING-ALLOW-ORIGIN �
nic j.n et/ re so urc eti m in g-v is ib ility -th ir d -p arty -s c rip ts -a d s-a n d -p ag e -w eig h t/
@ S i m o n H e a r n e CPU IS OUR BIGGEST BO T TLENECK ⏳ CPU IS OUR BIGGEST BO T TLENECK ⏳
@ S i m o n H e a r n e THE MOST FRUSTRA TING PERF BUG, EVER THE MOST FRUSTRA TING PERF BUG, EVER
@ S i m o n H e a r n e DEVICES ARE NO T AFFECTED EQUALL Y DEVICES ARE NO T AFFECTED EQUALL Y
Fast F ash io n… H ow M is sg u id ed r e vo lu ti onis e d th eir a p pro ach t o s it e p erfo rm an ce
@ S i m o n H e a r n e DEVICES ARE NO T AFFECTED EQUALL Y DEVICES ARE NO T AFFECTED EQUALL Y
Fast F ash io n… H ow M is sg u id ed r e vo lu ti onis e d th eir a p pro ach t o s it e p erfo rm an ce
@ S i m o n H e a r n e PE R F O R M AN C E
� PE R F O R M AN C E
� D oe s
t he ir
p e r f o r m a n c e
a f f e c t
y o u r s ? D o t he y
le t
y ou
m e a s u r e
t h e m ?
AC T IO N S T O T AK E AC T IO N S T O T AK E D i s c o v e r y I m p a c t R e p o r t i n g C o d e
Q u a l i t y A v a i l a b i l i t y D a t a
L e a k a g e P e r f o r m a n c e R e m o v a l
� • • • ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ @ S i m o n H e a r n e
@ S i m o n H e a r n e ST AGE 1: ST AGE 1: F IN D O U T W H A T ' S T H E R E
� F IN D O U T W H A T ' S T H E R E
�
Req uestM ap
@ S i m o n H e a r n e SYNTHETIC TESTING SYNTHETIC TESTING
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e
@ S i m o n H e a r n e C O N D U C T IN G AN AU D IT C O N D U C T IN G AN AU D IT
Id en ti fy in g, A ud iti ng, a n d D is c u ssin g T hir d P arti es - C SS W iz a rd ry
@ S i m o n H e a r n e RE AL USER MONITORING � RE AL USER MONITORING �
@ S i m o n H e a r n e RE AL USER MONITORING � RE AL USER MONITORING �
@ S i m o n H e a r n e 32,909 20,83 Sum of FREQ Checkout MyInfo MyW allet NULL Product Detail Page Shopping cart ShoppingBag Y es2Y ou checkout checkoutshipping d-registry departments directCheckout discounts dsign-in homepage kohlscharge kohlsgrw_home more like this myaccount myaccount_orderDetail orderHistory password reset product matrix purchase-history read_review sale event landing search search results shoppingBag store locator wedding-registry wishlist P AGEGROUPNAME 6249496.collect.igodigital.com ace.advertising.com ad.doubleclick.net ad.tagdelivery .com adnxs.com adserver-us.adtech.advertising.com adservice.google.com ajax.googleapis.com akam analytics-static.ugc.bazaarvoice.com analytics.twitter .com api api.bazaarvoice.com apps.nexus.bazaarvoice.com apps.zineone.com aps.googleapis.com as-sec.casalemedia.com assets.pinterest.com asterpass.com atch.adsrvr .org atpixelus.alephd.com b.hlserve.com beacon-us-iad2.rubiconproject.com beacon.krxd.net c.evidon.com catalog cdn.ampproject.org cdn.doubleverify .com cdn.rlcdn.com cdn.tagdelivery .com cdn.truefitcorp.com cdnjs.cloudflare.com cdns.brsrvr .com chart.googleapis.com checkout cm.everesttech.net common-rev-dba820b639138b2af1f7.js connect.facebook.net consumer .truefitcorp.com content css ct.pinterest.com curations-static.feedmagnet.com curations.bazaarvoice.com d.doubleclick.net d.impactradius-event.com d.tagdelivery .com d2p4r375zfkzm8.cloudfront.net d3t1dw6evd1rv7.cloudfront.net db2c8u89pdczb.cloudfront.net device.4seeresults.com dnisjsqid2b9p.cloudfront.net dpm.demdex.net ds-aksb-a.akamaihd.net dserver-us.adtech.advertising.com dservice.google.com eus.rubiconproject.com fastlane.rubiconproject.com fw .adsafeprotected.com gampad googleads.g.doubleclick.net googleads4.g.doubleclick.net googleapis.com gpt gum.criteo.com i.w55c.net iad-usadmm.dotomi.com ing-district.clicktale.net js-sec.indexww .com koh-cdns.truefitcorp.com lax1-ib.adnxs.com log.pinterest.com maps.googleapis.com maps.gstatic.com masterpass.com match.adsrvr .org media.richrelevance.com nav-overlay-gift-test-large-1 network.bazaarvoice.com nike-20180606 norelco-o-20180531-LG-promo nova.collect.igodigital.com nym1-ib.adnxs.com pagead2.googlesyndication.com pi.bazaarvoice.com pippio.com pmp_m_ratings.png pps.nexus.bazaarvoice.com pps.zineone.com quantcast584928381.s.moatpixel.com recs.richrelevance.com res.tdxio.com rp.liadm.com rtb0.doubleverify .com s-usweb.dotomi.com s.acexedge.com s.btstatic.com s.thebrighttag.com s.yimg.com s0.2mdn.net sb.scorecardresearch.com sc-static.net secure-ds.serving-sys.com secure.ace.advertising.com secure.adnxs.com secure.checkout.visa.com secure.uac.advertising.com securepubads.g.doubleclick.net servedby .flashtalking.com sjc-usadmm.dotomi.com social.skavaone.com sp.analytics.yahoo.com ssl.google-analytics.com sslwidget.criteo.com stags.bluekai.com static.ads-twitter .com static.cmptch.com static.criteo.net static.curations.bazaarvoice.com static.masterpass.com staticxx.facebook.com stats.g.doubleclick.net t.co tagdelivery .com tic.criteo.net tic.curations.bazaarvoice.com tpc.googlesyndication.com triad-d.openx.net truefitcorp.com us-u.openx.net www .bkrtx.com www .facebook.com www .google-analytics.com www .google.com www .googletagservices.com www .gstatic.com www .hlserve.com www .masterpass.com z.moatads.com HOST
@ S i m o n H e a r n e ST AGE 2: ST AGE 2: D E T E R M IN E T H E IM PAC T
� D E T E R M IN E T H E IM PAC T
�
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e RESOURCE IMPACT FROM RUM RESOURCE IMPACT FROM RUM
@ S i m o n H e a r n e ADVERTISING PARTNERS ADVERTISING PARTNERS P a r t ne r
1
=
~ 4 0 0 m s
s l o we r
t ha n p a r t ne r
2 Mig r a t ing
a ll a d s
=
~ 1 0 0 m s
f a s t e r
p a g e
loa d Ad d it iona l r e v e n u e
$ 8 ,000 p e r
m o n t h Larg e U S p u b lis h in g c o m pan y
@ S i m o n H e a r n e " E v e ry t h i n g
s h o u l d
h a v e
a
v a l u e , b e c a u s e
e v e ry t h i n g
h a s
a
c o s t " Tim K ad le c
@ S i m o n H e a r n e ST AGE 3: ST AGE 3: M E A S U R E T H E M AN D R E PO R T O N T H E M
� M E A S U R E T H E M AN D R E PO R T O N T H E M
�
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY �
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY � (REPORT-ONL Y) (REPORT-ONL Y)
{
r e p o r t " :
{
u r i " :
" h t t p s : / / y o u r w e b s i t e . c o m / " ,
" r e f e r r e r " :
" " ,
d i r e c t i v e " :
s r c " ,
d i r e c t i v e " :
s r c " ,
p o l i c y " :
" " ,
" d i s p o s i t i o n " :
" e n f o r c e " ,
u r i " :
" i n l i n e " ,
n u m b e r " :
4 ,
n u m b e r " :
3 ,
f i l e " :
6 "
c o d e " :
0 ,
s a m p l e " :
" "
}
repo rt- uri .c o m
@ S i m o n H e a r n e SYNTHETIC TESTING � SYNTHETIC TESTING �
@ S i m o n H e a r n e RUM � RUM � T he
b e s t
w a y
t o m onit or
r e s o u r c e s ,
e v e n w it h it s
lim it a t io n s
@ S i m o n H e a r n e � WA TERFALLS � WA TERFALLS
Akam ai m Puls e
AC T IO N S T O T AK E AC T IO N S T O T AK E D i s c o v e r y I m p a c t R e p o r t i n g C o d e
Q u a l i t y A v a i l a b i l i t y D a t a
L e a k a g e P e r f o r m a n c e R e m o v a l • • • ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ S y n t h e t i c ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ R U M ✔ ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ C S P
( R O ) ✔ ✔ • ✔ ✔ ✔ • ✔ • @ S i m o n H e a r n e
@ S i m o n H e a r n e ST AGE 4: ST AGE 4: D E F E N D O U R S E L V E S
� D E F E N D O U R S E L V E S
�
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY �
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY �
ca n iu se .c o m /# fe at= co nte n ts e cu rit yp o lic y2
@ S i m o n H e a r n e SUB-RESOURCE INTEGRITY � SUB-RESOURCE INTEGRITY �
@ S i m o n H e a r n e SUB-RESOURCE INTEGRITY � SUB-RESOURCE INTEGRITY � < link
"stylesheet"
"//maxcdn.bootstrapcdn.com/.../bootstrap.min.css"
"
sha256-8EtRe6XWoFEEhWiaPkLaw...=
sha512-/5KWJw2mvMO2ZM5fndVxU...=
"
"anonymous"
<script src= "//ajax.googleapis.com/.../jquery.min.js" integrity= " sha256-ivk71nXhz9nsyFDoYoGf2...= sha512-7aMbXH03HUs6zO1R+pLye...= " crossorigin= "anonymous" ></script>
@ S i m o n H e a r n e SERVICE WORKER � SERVICE WORKER �
@ S i m o n H e a r n e SERVICE WORKER � SERVICE WORKER �
f u n c t i o n
t i m e o u t ( d e l a y )
{
r e t u r n
n e w
P r o m i s e ( f u n c t i o n ( r e s o l v e ,
r e j e c t )
{
s e t T i m e o u t ( f u n c t i o n ( ) {
r e s o l v e ( n e w
R e s p o n s e ( ' ' ,
{
s t a t u s :
4 0 8 ,
s t a t u s T e x t :
' R e q u e s t
t i m e d
o u t . '
} ) ) ;
} ,
d e l a y ) ;
} ) ;
}
s e l f . a d d E v e n t L i s t e n e r ( ' f e t c h ' ,
f u n c t i o n ( e v e n t )
{
/ /
O n l y
f e t c h
J a v a S c r i p t
f i l e s
f o r
n o w
i f
(
/
.
j
s
$
/
.
t
e
s
t
(
e
v
e
n
t
.
r
e
q
u
e
s
t
.
u
r
l
)
)
{
e v e n t . r e s p o n d W i t h ( P r o m i s e . r a c e ( [ t i m e o u t ( 2 0 0 0 ) ,
f e t c h ( e v e n t . r e q u e s t . u r l ) ] ) ) ;
}
e l s e
{
e v e n t . r e s p o n d W i t h ( f e t c h ( e v e n t . r e q u e s t ) ) ;
}
} ) ;
ca le nd ar.p erfp la net.c o m /2 015/r e d ucin g-s in gle -p o in t-o f- fa ilu re -u sin g-s e rv ic e-w ork e rs /
@ S i m o n H e a r n e SCRIPT MANAGER � SCRIPT MANAGER �
@ S i m o n H e a r n e SELF-HOSTING / PROXYING ☔ SELF-HOSTING / PROXYING ☔
@ S i m o n H e a r n e SELF-HOSTING / PROXYING ☔ SELF-HOSTING / PROXYING ☔
vw o.c o m /k now le d ge /h ost-v w o-ja v asc rip t- �le s-o n-y o ur-s e rv e r/
@ S i m o n H e a r n e SELF-HOSTING / PROXYING ☔ SELF-HOSTING / PROXYING ☔
co m munit y.a k am ai.c o m /c o m mun it y/w eb -p erfo rm an ce /b lo g/2 016/0 1/1 3/5 -w ay s-t o -p re ve n t-s lo w-3 rd -p arty - fr o nt-e n d -s e rv ic es
AC T IO N S T O T AK E AC T IO N S T O T AK E D i s c o v e r y I m p a c t R e p o r t i n g C o d e
Q u a l i t y A v a i l a b i l i t y D a t a
L e a k a g e P e r f o r m a n c e R e m o v a l • • • ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ S y n t h e t i c ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ R U M ✔ ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ C S P
( R O ) ✔ ✔ • ✔ ✔ ✔ • ✔ • S R I
/
V e r s i o n i n g • • ✔ ✔ • ✔ • C S P ✔ ✔ • ✔ ✔ ✔ ✔ • ✔ ✔ • S e r v i c e W o r k e r • • • • ✔ ✔ • ✔ S e l f
H o s t i n g • • • ✔ ✔ ✔ • ✔ @ S i m o n H e a r n e
PAR T Y PO L IC Y � W ha t
d oe s
it
d o ? W ho use s
it ? W ha t ’ s
t he
r is k
t o
t h e
s it e ? H ow
d o y ou r e m o v e
it ?
@ S i m o n H e a r n e THIRD-PARTY CONTENT MA Y BE A WE AK LINK THIRD-PARTY CONTENT MA Y BE A WE AK LINK BU T IT ' S H E R E T O S T A Y BU T IT ' S H E R E T O S T A Y
@ S i m o n H e a r n e FIVE THINGS YOU CAN DO THIS WEEK: FIVE THINGS YOU CAN DO THIS WEEK: K now w ha t ' s
t h e r e
Me a s ur e
t he ir
p e r f o r m a n c e
S ha r e
t he
d a t a
H a v e
a
s olid
d e f e n s e
H a v e
p a r t y
p o lic y
(r e q u estma p) (W PT / mP uls e ) (d ash board s) (S RI & C SP ) (w it h I T & b u sin ess)
@ S i m o n H e a r n e F U R T H E R R E AD IN G F U R T H E R R E AD IN G
http s:/ /w ww.s o asta .c o m /s o lu ti ons/3 rd -p arty -m an ag e m en t/
T HANK YO U ,
T HANK YO U ,
G O O D L U C K ! G O O D L U C K ! �
@S im onH e a r n e �
w e b p e r f . ninja / t o o ls �
s he a r ne @a k a m a i. c o m @ S i m o n H e a r n e
