Security researchers at Feroot are warning application security professionals of the client-side security risk associated with unprotected cookie structures. Because cookies are so ubiquitous with all website types—from e-commerce and banking to social networks and SaaS applications—organizations need to be aware of the privacy and data exploitation risks associated with poor cookie security.

Can you name the top cybersecurity risks for banking and investment? Most would probably list cyber attacks like phishing, credential theft, DDoS, and maybe ransomware. But would it surprise you to learn that there is something on the list that many in the banking and investment industry forget–and that’s client-side cybersecurity threats. You know the kind…the ones related to jQuery, cross-site scripting (XSS), JavaScript injections, formjacking, etc.

A few weeks ago we wrote about the “creepy, problematic, and potentially illegal” problems associated with web tracker security—in particular, the security risks of Facebook’s Meta Pixel, its ability to collect and use sensitive healthcare data, and the risks of hospital privacy lawsuits.

When it comes to client-side security, creating and deploying a content security policy (CSP) can serve as a solid starting point. To deploy a content security policy, you must first identify assets, including first- and third-party resources that will be loaded in the browser when a user visits your website. For those who haven’t heard of a content security policy (CSP), you probably know that it’s easier said than done. Let’s talk about what those steps are to deploy a CSP.

When it comes to security and healthcare, most patients expect, at the very least, doctor-patient confidentiality. If web trackers are embedded within the JavaScript on a healthcare website you expect full security. I mean, you shouldn’t have to worry about someone working at Facebook knowing your personal healthcare information, like the details of a doctor’s appointment, right?

I am a credit card skimming attack victim. It happened about eight weeks ago, and to this day, we’re still dealing with the repercussions. This is a true story. (Although I did substitute a few facts to protect the innocent.) And yes, while I work for Feroot, and this is appearing in our blog, I think it is important that cybersecurity professionals hear first hand from a card skimming attack victim—someone who is like every other customer that their business supports.