DORA Act Website Compliance: A Comprehensive Guide for Tech Founders

vor 7 Tagen27 Min. Lesezeit

Management Summary DORA Act Website Compliance:

The Digital Operational Resilience Act (DORA) is a new EU regulation that aims to ensure the resilience of digital operations in the financial sector. While many companies focus on securing their core systems, DORA also highlights the importance of website security, particularly concerning third-party dependencies like chatbots, analytics tools, and other dynamic assets. This blog post provides a comprehensive guide for tech founders and entrepreneurs on understanding the DORA act website requirements, managing third-party scripts, implementing active monitoring, and establishing an effective incident response plan.

Our Sponsor Vanta (Recomended in the Episode)

Vanta automates security and compliance for frameworks like ISO 27001, SOC 2, and more—so you’re always audit-ready without the stress and manual work. No more endless spreadsheets, no last-minute panic. With real-time monitoring and automated security questionnaires, Vanta saves you time, effort, and money—so you can focus on growing your business.

Over 9,000 companies, including Atlassian, Flo Health, and Quora, already trust Vanta to manage security seamlessly.

Make compliance simple—get $1,000 off now at vanta.com/startupradio.

Understanding the DORA Act and its Requirements

The DORA Act, or Digital Operational Resilience Act, is an EU regulation that seeks to standardize and strengthen the security posture of financial institutions and their critical ICT systems. DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, and cryptocurrency exchanges. The regulation emphasizes the importance of operational resilience, incident management, and third-party risk management.

Identifying and Managing Third-Party Dependencies

Websites often rely on various third-party dependencies, such as chatbots, analytics tools, and social media plugins, to enhance functionality and user experience. These dependencies can introduce security risks if not properly managed. DORA requires companies to actively monitor and manage these third-party dependencies to mitigate potential risks.

Active Monitoring of Dynamic Assets

Dynamic assets, like chatbots and other interactive elements on websites, are particularly vulnerable to attacks. Active monitoring of these assets is crucial to detect and respond to security incidents promptly. Tools and services like c/side can help companies monitor their website's dynamic assets and identify potential security threats.

Incident Response and Regulatory Reporting

In the event of a security breach or incident, companies need to have a robust incident response plan in place. DORA outlines specific requirements for incident reporting and communication. Companies should be prepared to investigate incidents thoroughly, report them to relevant authorities, and communicate transparently with stakeholders.

Communicating Your Compliance Strategy to Investors

Investors are increasingly interested in a company's cybersecurity posture and compliance with regulations like DORA. Effectively communicating your compliance strategy can build trust and demonstrate your commitment to security. Using tools like Vanta, Drata, or Sprinto can help document and showcase your compliance efforts to investors.

Podcast Links:

The Video Podcast Will Go Live on Tuesday, February 25th, 2025

The video is available up to 24 hours before to our channel members.

Link to the YouTube Interview: DORA Act Compliance: Protect Your Website

The Audio Podcast

You can subscribe to our podcasts here. Find our podcast on your favorite podcasting app or platform. Here are some of the links to subscribe.

Our Guest

You can learn more about Simon and c/side here:

Leave a review, share and comment on the episode!

Learn more

Find more content on our blog: https://www.startuprad.io/blog/
Work with us reach out: ads@startuprad.io
Subscribe: https://linktr.ee/startupradio
Give us feedback: https://forms.gle/SrcGUpycu26fvMFE9
Follow the editor in chief / founder on LinkedIn: http://www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=joernmenninger

Automated Transcript

Narrator Dorsey Jackson [00:00:05]:

Welcome to startuprad.io, your podcast and YouTube blog covering the German startup scene with news, interviews, and live events.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:00:20]:

Hello, and welcome, everybody. This is Joe from startuprate.io, your startup podcast, YouTube blog, and Internet radio station from Germany, Austria. It's Woodzilla. I'm bringing you the most news and important content from the region. This time, I do have somebody as an expert, Simon here with me. Hey. How are you doing?

Simon Wijckmans | CEO and Founder | c/side [00:00:40]:

Hi.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:00:42]:

Simon here with me who will be talking about some aspects of Dora. Dora is important enough that we decided to have two episodes on it. But don't worry. We don't not gonna pack them back to back, but we'll have two episodes here on different areas of the dura regulation. Simon, before we get started, there is a little disclaimer. This is no legal advice. The content of this interview is provided for informational purposes only and does not constitute legal advice. Neither the interviewer nor the guest are licensed attorneys.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:01:18]:

The discussion is intended to offer you our audience a framework to think about some of the more technical aspects of the EU regulation called Dura Digital Operation Resilience Act. We strongly encourage you to consult with qualified legal and compliance professionals to trust your specific requirements and implementations of DORA as they pertain to your organizations. Rely solely on information provided in this discussion could result in noncompliance or other legal and regulatory risk. Always seek professional guidance tailored to your unique circumstances. Now that we have that out of the way, Dura is at the time of recording in force. But as we talked before, the real enforcement, the real audit will only come next year, and the people are really getting started how to handle this, how to comply with the DORA Act. Can you tell us a little bit about you, a little bit about the DORA Act before we get into, the subject where you are the subject matter expert?

Simon Wijckmans | CEO and Founder | c/side [00:02:26]:

Sure. Then first of all, thanks for having me. Yeah. So my background, I started my career at Microsoft at a young age. I was 16 at the time. Built my career, worked at CloudFlare for a while, became product manager there for a more client side for data problems. As I grew, like, I was solution architect first. I was spending a lot of time with customers, and then I made it into my role, but more on a product side of things.

Simon Wijckmans | CEO and Founder | c/side [00:02:48]:

Then I worked at Vercel, built their security products for a while, and then, small database company and came back to it. And so I I recognized that as we spent a lot of money and time on protecting our infrastructure by buying firewalls to protect the perimeter around our most critical assets, protecting, like, and detecting network flows within our own virtual networks, etcetera. And that we also monitor our open source dependencies through static registries like node package manager. We have totally forgot about a very big part of the attack surface, and that's what's happening in the browser of the user when they visit your website. So I run a company called Seaside. We do client side security. So basically making sure that whatever happens in the browser of the user as a result of your dependencies, your marketing tools, but also your own codes, is safe and is not going to add, to a major compliance risk or potential downtime or issues in the future.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:03:38]:

So I already see we will be talking about the browser here. Is that is that what we've been talking about?

Simon Wijckmans | CEO and Founder | c/side [00:03:47]:

Well, so I think that the scope for, like, why DORA is relevant, in our field is is more because DORA talks about third party services in a more broad concept, and it also talks about actively monitoring things. And so there's a lot of things happening currently in this space. BCIDS says this was is requiring to monitor client side dependencies. And you may be wondering why. Well, because there were so many incidents for the last ten years where credit card skimming originated from the browser. Right? So thinking at the British Airways attack in 2018, a polyfill attack last year, there's a lot of attacks that execute in a browser. And the PCI, so the payment card industry, digital safety safety standards, the organization behind that PCI SSC has recognized that the majority of credit card skimming nowadays happens in a browser of a user. So when we talk about, like, finally financial organizations and institutions being pushed, to have a more standardized security process, the client side is really very actively in scope.

Simon Wijckmans | CEO and Founder | c/side [00:04:45]:

And even though the DORA act is very broad, it is still actively saying things like like actively monitoring, third party dependency management. Regardless of the attack surface, whether it's server side or client side, this is your, like, part of Dora. You need to monitor it. So that's the scope here. We don't we are not a browser company. We don't, like, build a secure browser. We're not a Zscaler or an island or anything like that. We sell to companies who need to protect their online asset, their website, and prevent it from performing attacks in browsers of users or, things like crypto mining or credit card skimming or logging credential theft or anything like that by any of the tools that they use.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:05:26]:

Why you're here today is because, of course, it applies to, the usual banks, the usual insurance companies, but also the fintechs, all companies that are related to payment and so on and so forth. Therefore, I thought it was very interesting to have you here. And as you said, a lot of I've been a consultant on capital markets for more than a decade, and a lot of the cybersecurity, a lot of all the efforts were around the core systems. Barely anybody talked about the website in terms of cybersecurity. Here, is something I do believe because we're we're also, as you said, most of scam most of the the the the the, theft of private information actually takes place. And so I do believe it's an important piece here in the puzzle. As we said, we'll be a little bit more specific here. But my first question would be compliance readiness.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:06:29]:

What key steps need companies to take, to ensure compliance with Dora, particularly when touring dynamic assets like a chatbot, like a capture system to satisfy, the authorities, the auditors, and also, of course, your investors. Because if you do have Dora trouble, your investors won't be happy.

Simon Wijckmans | CEO and Founder | c/side [00:06:53]:

Yep. Exactly. So, I mean, there's a lot of controls in Dora that overlap with other frameworks people should already be familiar with. So if your ISO or your SOC two or your GDPR or PCI DSS, you're gonna probably already have a really significant chunk of it fixed. Right? So that's a good thing. I really looked at that Dura act as an umbrella act that is just re like like, revisiting the things we should already be doing. We talk specifically about third party dependencies that are dynamic. Unfortunately, those have kind of faded into the background.

Simon Wijckmans | CEO and Founder | c/side [00:07:26]:

So a lot of these frameworks didn't call those out explicitly. And you can also tell that therefore the majority of security solutions out there that are targeting supply chain security, they don't actively monitor client side scripts. We, however, do. And we do it in a way that is difficult, but it's the only right way to do it because this is a unique problem. When you go to a website, you will get a response from a third party server that is outside of the control of that actual website intercom chatbot, well, your browser is making a request to the intercom server. Right? Well, god forbid, intercom gets hacked. Right? But there are so many of these chatbot companies out there, some with more, like, senior security people than others, some with better protections than other. The result is that there could very easily be an attack that target only a small subset of people and therefore fly below the radar and make it very hard to detect.

Simon Wijckmans | CEO and Founder | c/side [00:08:18]:

So to put that into a real life ex example, what you could pull off with a third party JavaScript is an attack that targets 1% of users in France. And then after office hours, right, only, and then the week after, move to 1% of visitors in North America, also after office hours, and then move to another area in the world and just fly below the radar. Because if a security analyst were to use a tool at the static analysis, that's not gonna catch that dynamicness. Right? And so the way that Seaside does this, and that's fundamentally different from what we saw in the market, and that's also the reason why we started as a business, is we actually put ourselves in the middle. So instead of you actually talking directly to these third parties services, we put ourselves in the middle and we offer you a complete observability. So if somebody on an old Android phone goes to your website or somebody on a modern MacBook goes to the website and they get different versions of that script, which is often the case, we have all of that data. We analyze it through an LM. We analyze it through an attributes engine that we built in a house.

Simon Wijckmans | CEO and Founder | c/side [00:09:16]:

So we look for outliers in the behavior and how it has changed. So if any of these scripts become malicious and things start behaving weirdly, exfiltrating sensitive information, trying to get access to things it shouldn't have, like session tokens, for instance, that type of behavior we would very quickly flag. And this is directly a thing when you talk about active monitoring of third party dependencies. Well, these third party scripts you add to website are third party dependency. Because they are dynamic, active monitoring is required. Connect the dots, and there you go. That is a Dora requirement. And this is already a requirement, I think, under many other frameworks, but sometimes not as explicitly, like like like, put forward.

Simon Wijckmans | CEO and Founder | c/side [00:09:56]:

So, like, if you look at PCI DSS, it's an explicit requirement. But under HIPAA, you can also expect the clauses regarding third party security, to be in scope there. But yes.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:10:07]:

We've been already getting a little bit ahead of ourselves. I want to talk about monitoring of those, what you call, dynamic assets. What I, the most advanced stuff I ever did was, to to write a little bit in. So please excuse me here. I'm not, the technical guy, but this is also not the audience we're talking here. How do you monitor all this external stuff that you have? For example, analytics, capture, newsletter, pop up, chatbot, podcast player, radio player, something like this. How do you actively monitor those tools? And what should the the nontechnical founders that are listening to us right now, or how should they think about it in terms of cybersecurity? Because I find it fascinating what you do here because that's also something that has not popped up in all the discussions that I had around the topic. It was more like, like the usual cyberattacks, really big things.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:11:19]:

For example, university clinic here in Frankfurt was almost digitally shut down due to cyberattack. That that's the kind of stuff people are thinking about, not, for example, their website.

Simon Wijckmans | CEO and Founder | c/side [00:11:30]:

Yeah. I mean, the thing is we interact with most online things through a website. Even if we don't realize it, a lot of mobile apps are actually websites under the hood. Progressive web apps, PWAs is a technical term for that, or web views. It's essentially just a way for a developer to be able to build a thing in a language they're confident with. Right? To build a website, and it basically becomes a mobile app. Right? So more things have become browsers. We already interact with most things through what is basically a browser.

Simon Wijckmans | CEO and Founder | c/side [00:11:59]:

And at the same time, we have not protected the browser. So the way that it works, and this should be easy to do for people that are nontechnical even. If you can add that button or you can add that, like, podcast or that AB testing thing or that chatbot to your website, it's exactly the same thing you would do to install our solution. So we've got a couple of ways you can onboard, but but the easiest is you just add our script to the website as the first one to load, and you go through those other scripts you added, and you put proxy dot c site dot dev slash in front of them. That's it. And now it flows through us. So that code now comes through our systems. There's another way that you can onboard, and that's using basically a plug in that you install, an NPM package.

Simon Wijckmans | CEO and Founder | c/side [00:12:41]:

It's basically just to to put it more technically, a CLI that would automatically rewrite these scripts for you. You don't have to do anything more than just installing a thing. That would be it. In our dashboard, you then see all of these scripts passing through us, but autonomously, we review those. So the biggest clue that there is something going wrong is when we notice these scripts change, and there's changes that are not consistent with the behavior we'd expect from that script. It is normal for scripts to change, and they are very dynamic. Right? So as I explained earlier, if you have an old Android device, you're probably gonna get a different version of a version of a certain script than you will on a modern laptop. That dynamicness of a third party script is actually a big part of the feature, right, because it allows for those packages to be consistently working across very different environments, sometimes still even including Internet Explorer, right, which has been phased out for so many people, but it's still a very small percentage of the Internet.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:13:38]:

Sorry to interrupt you, but do people actually still use Netscape some?

Simon Wijckmans | CEO and Founder | c/side [00:13:42]:

Netscape, I have not come across in significant enough numbers. But, yeah, I mean, whatever device you currently have in front of you, unless you keep it in your house forever, will eventually end up somewhere being used by someone who's not as fortunate as us. So recycling of devices, especially in corporate environments, it has an incredibly long lifeline. Old compact computers from twenty years ago are probably in use somewhere in the world. Right? Or either they get recycled or they make it all the way to Kenya. Right? So the result is that old legacy things that we in the Western worlds can't even think about anymore, there's still a small percentage of the Internet that use them. Of course, then the attack surface is different, right, but still very relevant to understand that backwards compatibility is something that with any modern web application is not something to neglect. And, actually, this is a completely different thing to point out here, but as I noticed my grandparents' aging, we also we also have to understand that users are also something that you shouldn't neglect backwards compatibility to.

Simon Wijckmans | CEO and Founder | c/side [00:14:43]:

That's not something the Doric talks about at all, but as we all get older

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:14:48]:

words are very technical way to say that.

Simon Wijckmans | CEO and Founder | c/side [00:14:51]:

Yeah. I mean, if we all get older, we have to also think about how our older people are gonna understand this. And this is the thing, like, with these third party scripts. They are incredibly good at accessibility. They are incredibly good at backwards compatibility, and that is because of the dynamicness of them. But that's also very problem lies. So, like, really the only way that you can do proper client side security is by having that stuff coming through you, By our system analyzing it a % of the time, we, of course, hash it. Right? So if the script is the same as it was before, we will not do the very painful and heavy lifting of reanalyzing it.

Simon Wijckmans | CEO and Founder | c/side [00:15:24]:

If the hash is the same, we won't do it again. If the hash is different, though, that's where we reanalyze it in its entirety. And that then allows us to be quite confident in detections that we do. Of course, as every security solution out there, we're always looking for things we need to improve and detections that need to be added. But we have at least have all the data. We don't think any of our competitors have the amount of data that we have. And that's also partly to saying that the fact that we have a free tier. People can just sign up, use our products for free, and get a whole lot of visibility, and that would then help everybody and to be safer.

Simon Wijckmans | CEO and Founder | c/side [00:15:56]:

Right? Because a lot of these scripts, they can even act differently depending on the website they are on. So if there's an analytics script on a bank's website, where that same analytics script is also on the local's baker reps the local baker's website. They can very easily make that script behave differently on a bank website as it is on the local baker's website. This is actually a very relevant thing to call out still. Any website out there, how weird you may think it is, will probably have some type of analytics tooling on it, including hospital websites. And so Kaiser Permanente, a large American insurance company last year, leaked all of their customers' health care information, all 13,000,000 people's health care data, to a third party through their client side script. And this was an honest mistake. They added the TikTok script to their website thinking this was just TikTok's normal US use script.

Simon Wijckmans | CEO and Founder | c/side [00:16:47]:

It turned out to be the Chinese version, so the data was being sent to China. That's obviously a big HIPAA no no, and that then caused a big trouble there. The problem is there's not enough governance around adding analytics tools to websites or these types of third party scripts. And that's what these frameworks are trying to enforce. And that's a good thing because it it's it basically protects the end user.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:17:08]:

Would you, again, for the nontechnical entrepreneur, help us to think a little bit, what steps an an entrepreneur should take, thinking about vendor risk, third party contracts, and really mapping the dependencies here.

Simon Wijckmans | CEO and Founder | c/side [00:17:28]:

Yes. So, honestly, as a nontechnical person, this is a very hard assessment to make because they will not tell you, whether the script is dynamic or not or whether there's other methods you can use yourself to install it that are safer. So fortunately, there's a lot of trust you need to have there. But I think as a nontechnical person, the best thing you can do is make sure that the tools you add to your website are being used by a significant portion of the Internet, and that those tools are built by companies with a staff that looks confident and have a good security team. There's a few ways you can go ahead and figure that out. So first of all, if these scripts are being used on all of websites, there's this platform called publicwww.com. I think it's .net or whatever. You can type in the script in there, and it will tell you how many websites also have that script.

Simon Wijckmans | CEO and Founder | c/side [00:18:17]:

If that script is on another hundred hundred thousand websites, you're probably gonna be okay. Right? Because these companies, they have something to lose. Then if you have a look at the website of that script and you have a look at that tool and you see that they have a security center or a trust center, go have a look at their certifications, see what certifications they have. That probably will be a good indicator of them having good security compliance on their side. So then that particular vendor, you're probably okay adding to your website. However, the best thing you can do, and this is just because you don't know what those people then trust. Right? There's third party dependencies on their side. One script calls another script calls another script.

Simon Wijckmans | CEO and Founder | c/side [00:18:52]:

Honestly, the best thing you can do, and I hate to sound like a marketing guy, but it's true. Use our free tier because like there's no other way to get the visibility because it's happening outside of your field of vision in a browser of your visitor, and that visitor can get a different thing than you get on your side. So there really is only that that's the real reason why I wanted to build this thing. I didn't find any other way to do it.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:19:12]:

I'm thinking now about mapping those dependencies in terms of one connection as a leg. How many of those connections, how many degrees, how many of those legs have you found or do you usually find? How many dependency, codependency, and so on and so forth do you usually see there?

Simon Wijckmans | CEO and Founder | c/side [00:19:33]:

It really depends. So, if you have, for instance, let's say you're, and this is a bit outside of the scope of DORA. Right? But actually, we can make this about DORA. Let's say you're an insurance broker and you have a, an iframe on your web page to book an appointment. And that tool that you added, that iframe or I don't know, it could be a widget. Right? Does third party fetches to other things? Could very easily end up with a long list. And so we saw this, with, for instance, a little hotel booking widget that people add to their hotel's website. So that when you're a hotel owner, you add this thing and they can book it through that.

Simon Wijckmans | CEO and Founder | c/side [00:20:08]:

Well, that thing was calling, like, 50 other dependencies. Right? So it was calling jQuery through a CDN, this thing through a CDN, that thing through a CDN, calling third party assets here, there, and everywhere, adding analytics to it, even adding AB testing to that widget, because of course they're also looking to improve their products. And then those AB testing things, they called up other stuff. It can become a very significant tree. So I've seen personally, like, more than 50 of these dependencies on some scripts. Many of them are nice to themselves and only have, like, one JavaScript file and no sub dependencies. It really could be anything. Right? And the problem is you will only really know when you start analyzing these things yourself, either manually or using a tool like us.

Simon Wijckmans | CEO and Founder | c/side [00:20:51]:

And even when you're using a tool like us, you will see that it will largely differ, especially with AB testing. If they then fetch a version and that version has more things to it, then it's gonna be different across different browsers. There's a lot of noise here. So it's it's very hard. I can't just say, normally, it's 40. It's like, that's not how it works. It it could be very like, it could be a very broad spectrum.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:21:13]:

I see. We will back with you guys shortly after the break for our sponsor. Okay. Welcome back. I have Simon here still with me talking about the more technical aspects of it, especially in the browser of your company client phasing that falls under the DORA Act. When I was when I was thinking about this, what is the average number of third party dependencies you usually see? Because when you've been talking about a booking, a little booking app, a chatbot, a player, and I I think I have at least 20 of them on my website, and I don't even want to think about mapping them out.

Simon Wijckmans | CEO and Founder | c/side [00:22:11]:

Yeah. So, I mean, the average I have seen from the websites that we crawl and that we have as our customer base is 53. You will find varying numbers about this, but it's very common for a commercial business with all types of pages and projects, etcetera, on their website to have a very broad scope of these. Right? So you've got the analytics tools and a chatbot for support and the distinct for legal and that pixel for further engineering and AB distinct for that. And the marketing team has a podcast widget and all that stuff. Right? Before you know it, you've got 53. And I think that that number will not really go down because, it's funny when people tell me, oh, aren't third party scripts on the way out? Well, no. Because there will always be a reason for client side dynamicness, and that will never be replaced by just an NPM package because they're still gonna fetch it in the browser anyway.

Simon Wijckmans | CEO and Founder | c/side [00:23:01]:

And that's another thing. If you install a dependency through something like node package manager, which, you know, if you're an engineer, you definitely know. But as a nontechnical person, it's just a marketplace of open source stuff you can add to a website, and now all of a sudden you have access to this big library of cool stuff. Well, those can do client side fetches. That's not really solving anything because the client side fetches still there. In in fact, actually, the the thing that I find interesting about this attack factor is that even people that are nontechnical that are putting their faith in tools like WordPress, etcetera, well, we see a significant amount of client side attacks coming through WordPress, especially through old themes. So, those old dashboard themes that people use to build a pretty website. Yeah.

Simon Wijckmans | CEO and Founder | c/side [00:23:48]:

If those people don't maintain those and some bad actor manages to get a hold of them, they will add malicious JavaScript to them. Before you know it, you've got an attack happening that way. Just, like, early in January, we spotted 5,000 websites were impacted through that. That's an, of course, significant amount of websites. But for WordPress, well, there's many millions of WordPress website. But still 5,000 websites is quite Mhmm.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:24:11]:

You you could do a lot of, very, very, dumb stuff with all the data you get there. We've been talking about, incidents here and there, talking about incident management and reporting here. How should they design the incident response process to address the issues that are stemming from the browser based user interactions and ensure that they are doing Dura compliant, reporting here?

Simon Wijckmans | CEO and Founder | c/side [00:24:43]:

Yeah. So my advice is, regarding any type of client side dependency that you add to keep track of when you added it and what state it was at the time. Right? And then also makes it easier to understand, okay, At that date, we added that script, and then we saw a jump in sub dependencies that were also added to the website as a result of that script. It makes it easier to trace back if there's an incident. The unfortunate thing about client side security is if we see an attack at scale on a whole bunch of websites, it's sometimes not clear to us where it originated from because, I mean, the client side code made it into the code, and that's usually through some server side action originally. So it could be that a bad actor worked their way into your website, through backdoor somewhere. But that could be anywhere. It could be an open source thing that you use.

Simon Wijckmans | CEO and Founder | c/side [00:25:32]:

It could be that your credentials as an admin were stolen, that they got into your GitHub or whatever. It could be anything. They could have hijacked an s three buckets of another dependency that you added. It's very hard to trace back. So my advice is when there is a client side script on your website that you do not recognize, unfortunately, if you're not using a tool like ours that actively, like, monitoring it, it's probably not a bad idea to be very quick in removing a whole bunch of dependencies. It's a bit like when your breaker, your fuse in your house, like, the main one turns off, and you then have to go figure out on which cycle in your house there is a problem. You turn all of them off, and then you turn them back on one by one by one by one and see when the problem gets back. That's an unfortunate truth about client side security as well because you don't really know where it's coming from.

Simon Wijckmans | CEO and Founder | c/side [00:26:21]:

You're probably gonna have to do big cleanup, and that could be anything from starting over again to turning it off and turning it on one by one by one and then getting rid of it. It actually gets worse with people using third party marketing firms. We have seen this a lot where people add a Google Tag Manager script to their website to then give to their marketing people. And then those marketing people add a bunch of scripts. And then a year later, you switch to another marketing company, and those scripts are still on your website. And you don't have control over the Google Tag Manager. So the only thing you can do is remove the entire Google Tag Manager and then see what breaks and then add those back one by one. That's a very sad thing that happens a lot.

Simon Wijckmans | CEO and Founder | c/side [00:27:00]:

Right? Those types of things that is unfortunately part of the incident response. You have to sometimes just go all the way back to then add it one by one.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:27:07]:

Could you also when we're already talking about incident response here, the regulatory reporting, because in the event of a breach or issue involving the dynamic assets we talked about here, what timers and protocols, should you following to meet Dora?

Simon Wijckmans | CEO and Founder | c/side [00:27:26]:

Yeah. That's sort of part of the reporting there I found very vague. Right? Because they have all types of requirements regarding reporting and different things. Look. My perspective on any type of reporting here is act on the side of caution. As soon as you've noticed there's some type of incident, put out a public note, send out an email to every customer. Tell them, hey. We're investigating an issue regarding a client side script on our website or something like that.

Simon Wijckmans | CEO and Founder | c/side [00:27:49]:

Right? You'll be back with more information in the next twenty four hours, forty eight hours, whatever. You do your thing. You do your research. You explain what happens, and you just on the side of caution by being incredibly transparent about it. I worked at CloudFlare. CloudFlare was great at that. If there was any type of downtime incidents, which luckily during my time there, there weren't major security incidents, but a downtime incident, it's better to be very open about everything and put out your learnings and what you're gonna fix in the future. That's just a good thing because as those blog posts exist, the shame also goes away and people can actually become more comfortable in improving their systems over time and being open about it.

Simon Wijckmans | CEO and Founder | c/side [00:28:25]:

Unfortunately, that's not how most companies do things. And then, of course, these rules come into play to try and push people to work that way, but they probably will not either anyway. But, yeah, I think the reporting side of things, especially when I read the Dora Act, I found it a little bit all over the place, and very broad umbrella. And especially with a client side security incident, the investigation time frame of it can be very long because it doesn't it could be that that script just doesn't do the thing anymore that it did during the attack time. Mhmm. So it's very difficult to investigate.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:28:58]:

I see. You're talking about confidence, transparency here. My last question is how can entrepreneurs effectively communicate their Dura compliance strategy? Particularly, will you talk about dynamic asset third party dependencies to build trust with either their existing or new investors? Because I I do believe if you're going through a large, funding round, at one point, there'll be legal compliance, and they'll also take a look into Dora.

Simon Wijckmans | CEO and Founder | c/side [00:29:31]:

Yeah. So my experience with these things is that you should not be trying to do these things manually. We personally use Vanta. There are solutions like Vanta or Drata or Sprinto, etcetera, that allow you to document your controls and frameworks that you apply those to, and then how you provide evidence to those. And then there's trust pages specifically for them. It's better to have those things documented in, like, cleanly put out there so that if you ever have to report on those because either a specific customer asks for it or because you need to do it for an investors round or because of an insurance quotation or anything like that. It's just there. You shouldn't be treating this as a one off.

Simon Wijckmans | CEO and Founder | c/side [00:30:11]:

The old fashioned method of using a spreadsheet probably works. I don't like it, and I'll tell you why. Even if the spreadsheet is collaborative, your customers are gonna look at you weirdly if you provide them with an ugly manually maintained spreadsheet. People have gotten quite used to going to trust.thecompany.com. Right? And then just seeing all of the security reports there. It's a cleaner way to do it. Yeah. And then one of the things that I think is interesting for, people to realize and especially as a product person, this is really what the entire career is about.

Simon Wijckmans | CEO and Founder | c/side [00:30:45]:

You have to understand that there's different personas you talk to. When you talk to a security engineer or security analyst or a CISO, they're probably gonna go to trust.yourcompany.com. Right? They will also notice that there's a security web page on your website. Right? That web page is more to talk about your generalistic view, your nontechnical, nonspecific security compliance strategy. That's also a good thing to have. And so, there's even in SOC two, I think a I'm not sure if it's a requirement or a best practice, but having a page like that is very helpful just so that multiple people, with some that are more comfortable or less comfortable with technology have the ability to, go there.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:31:24]:

That was a really good interview. Thank you very much. Actually, we scheduled our interview to be just try, just try of thirty minutes to attach you to to another interview, and now you've logged in for more than thirty minutes. Great. Thank you very much. We'll link everything down here in the show notes. YouTube talk that you did on Slush, your LinkedIn profile, your website where there's also free tier, and, of course, the Vanta link.

Simon Wijckmans | CEO and Founder | c/side [00:31:53]:

Thank you very much for having me.

Jörn "Joe" Menninger | CEO and Founder Startuprad.io [00:31:55]:

My pleasure. Have a good day. Bye bye.

Narrator Dorsey Jackson [00:32:02]:

That's all, folks. Find more news, streams, events, and interviews at www.startuprad.io. Remember, sharing is caring.

STARTUPRAD.IO