Track 3
4 Feb 2022 4:00 PM - 4:30 PM

Tag managers (such as Google Tag Manager, Adobe Launch...) are scripts which let non-developer easily add and remove—in one word manage—third-party scripts. Marketing people often require them in order to promptly experiments with analytic scripts, without bothering the development team for their inclusion on the website.

More than 40% of websites uses Google Tag Manager[^1] which is used to fires on average 12 scripts[^2] per website. Unfortunately, those scripts are often added ad hoc, outside of the regular development life-cycle and CI/CD pipeline.

Here lies the problem for security professionals: those scripts and their usage often don't go through the imposed security processes; they bypass code review and tests.

As an ex-web marketing professional, I will explain how those tag manager scripts are used, what kind of scripts are deployed through them and the pipeline used by marketers to deploy them to the end-user facing website.

As a current web application security developer, I will explain how security professionals can work with the marketing team to ensure the scripts used are not compromising the website integrity, nor the user's security, without hindering the marketing team's productivity.

Alexandre Mercier
Ex-web marketer turned security engineer and privacy advocate
@cyberflamingo
https://www.cyberflamingo.net/

Alexandre Mercier was born and raised in Lorraine, France.

After graduating from Lorraine University, major in Communication, he joined a Japanese IT venture to setup its marketing department. After gaining interest in the cyber-security world, he joined UBsecure, Inc. as a security engineer. As an engineer, he likes to think about ways to update, automate and make the development environment more efficient.

Outside work, he likes collecting Kokeshi (Japanese wooden dolls).