Monitoring Third-Party Services: A Critical Step for Online Retailers

Monitoring Third-Party Services
Ido Meshulam
  • Ido Meshulam
  • February 6, 2020

Over the last decade, the digital marketplace has rocked the foundations of traditional retail. As technological advancements have propelled us into an era in which virtually every product is only a click of a button away, it’s no surprise that online shopping has taken the commerce world by storm. According to a November 2019 report by the U.S. Department of Commerce, eCommerce’s share of total retail sales has nearly tripled in the last decade – skyrocketing from just above 4% in Q1 of 2010 to over 11% of all U.S. retail sales in Q3 of 2019.

In this new reality, eCommerce sites have become the face of many companies, turning into a major source of revenue while taking on a role once filled by the traditional shopping mall. As this trend intensifies, the need for a better competitive edge for online retailers grows as well. Today, once-slow-moving companies are finding out that they have to quickly adapt in order to keep up with consumers’ constantly rising expectations of fast, smooth, and exciting customer experiences.

Rather than trying to meet these expectations on their own, retailers are increasingly opting to embed services provided by third-party vendors into their websites. Driven by this trend, new analytics, payment, advertising, personalization, and social networking services are sprouting up by the masses. And as the data continues to pile up, online retailers are facing new challenges – increasing the demand for third-party data management, A/B testing, and data security solutions.

How dramatically are these trends changing the world of eCommerce web development? Based on our large-scale data analysis, we at Namogoo estimate that 53% of the code on eCommerce sites belongs to embedded services! And in light of the rapid growth in the use of third-party services that we have seen in recent years, this figure is expected to continue rising.

A brave new world?

Despite the great promise these new third-party technologies present for retailers’ growth, they also undermine these companies’ ability to control what happens on their websites – a situation that is growing riskier over time. As third-party services are integrated into a given retailer’s eCommerce site, it becomes more difficult for that company’s technical team both to monitor the effects these services have on site performance and to protect customers’ privacy.

Additionally, many third-party services themselves rely on embedded services – making eCommerce websites dependent on fourth-party services. In such cases, it is common for a third-party service to pass information from an eCommerce website’s customers on to a fourth-party vendor – often without the knowledge or consent of the owner of the eCommerce website.

These third- and fourth-party services are able to change their behavior at any moment – letting them update code versions, add functionality, and collect more data. These changes could wreak havoc on an eCommerce site, potentially causing personal data leakages, severely slowing down the site, hurting performance, or crashing the site altogether. And when such issues do arise, trying to identify their cause presents a major headache for developers, since the problematic code was not even written by the technical teams trying to resolve them. As more services are tested and deployed on these sites, this challenge could easily become every developer’s nightmare.

It is clear that the potential for chaos is only going to grow in the foreseeable future, and better solutions are required to properly track and monitor the changes in third- and fourth-party services’ code.

Our data-driven approach to making sense of the chaos

In order to detect version updates in JavaScript files, we at Namogoo first developed a tool that receives the URL of a JavaScript asset and extracts features via textual analysis of its code, such as the number of functions or variables and their types. Data was also collected from the HTTP request itself, such as the response header, and the code was executed on a Selenium environment to collect runtime errors.

Following this tool’s development, we began testing a daily sample of two million scripts collected during hundreds of millions of web sessions tracked by Namogoo over the course of five months. These data points were stored in our databases and scanned for changes indicating potential version updates.

Analyzing these services’ behavior has quickly provided valuable insights about the ways they change over time. Knowing how and when these services change can allow companies to correlate issues that arise on their sites to version updates made at the same time by their service providers. This helps technical teams to pinpoint the exact source of a given problem and solve it before it can cause major damage. With the huge number of purchases on these sites and the sheer amount of web traffic, even shaving a few minutes off the time taken to resolve an issue can save eCommerce companies thousands of dollars in revenue that would otherwise be lost.

In addition, when studying how third- and fourth-party services change over time, we quickly learned that many services behave similarly and deploy version updates at regular intervals. Using this information to find irregularities in service updates can prove invaluable, even if these changes are not accompanied by any known problem on eCommerce sites. Unusual updates in behavior or timing could indicate a potential contract violation, such as the addition of a feature without the retailer’s agreement or the deployment of a version update during a sensitive time such as a holiday period “code freeze.”

This data-driven approach could even identify a malicious attack on an eCommerce site conducted by hacking into one of its service providers – an attack that could have grave financial and legal ramifications if not quickly detected.

Breakdown of JavaScript updates made to an online payment service by day and hour (UTC)

Their code, your responsibility

Many digital service providers have become an integral part of the eCommerce ecosystem – and in today’s competitive market, online retailers simply can’t do without them. However, there is no reason for these companies to relinquish their control over their own sites, just as they wouldn’t leave the keys to their offices or stores unprotected.

That’s why eCommerce companies are gaining awareness of the need to better understand and monitor the third- and fourth-party services running on their sites.

Perhaps most importantly, this imperative continues to become more urgent, as the risks presented by third- and fourth-party services increase. That’s not just because more embedded services are being introduced into retailers’ systems, but also because the combination of cybersecurity threats and increasingly strict consumer privacy laws is expanding the legal and financial dangers of lax online security.

Do your website’s embedded third- and fourth-party services put your company at risk? To see how Namogoo’s Customer Privacy Protection solution lets you keep tabs on those services, request a demo today.