Is gstatic.com safe to whitelist on a secure network?
We're installing a new app on a secure network. The vendor has requested we allow access to gstatic.com. That seems overly broad to me and unsafe. Thoughts?
Depends on how secure your seecure network is, but generally speaking I wouldn't allow it. As you said, it's way to broad and gives away control of what is loading and what comes on your network.
According to ChatGPT, this is what GStatic is:
Gstatic.com is a domain owned by Google that serves as a content delivery service that caches all unchanging files in a server near the user to reduce load times. It is used to load content from Google's Content Delivery Network (CDN) and store static data like JS libraries, stylesheets, and images. Gstatic.com also verifies connectivity to the internet for Chrome browser and Android devices. Google hosts its static content on a specific server called Gstatic to reduce bandwidth usage and deliver the content faster. Gstatic.com also allows users to embed Google Maps images on their web pages without requiring JavaScript. Gstatic.com is not a virus, but security software may display pop-ups about it.
Is ChatGPT the new LMGTFY?
It comes down to the risk appetite of the business. You mention a "secure" network, but you already have internet access. So, it seems that some access to resources on the internet is already an accepted risk. Beyond the possibility that a random attacker might leverage the gstatic CDN to attack your network, do you have any other specific threats which make you hesitant to whitelist it? Are those threats large enough that the business would consider them to great a risk to that network? Do you have other mitigating controls in place? Would something like traffic inspection or endpoint protection be a sufficient mitigating control? Can the systems with the offending app be firewalled off from the rest of the network? Could the specific assets needed by cached internally and requests for gstatic redirected? What other compensating controls can be put in place to mitigate the risk?
All that said, have you brought the issued to your management and gotten their input on the risk? In the end, it's a business decision and should be decided on by the business leaders. If they want to take the risk of allowing that network to access gstatic, that's on them.
It depends entirely on your own risk analysis. We can't make this decision for you without knowing the details (and if you want to give details, let me know where I should submit the consulting invoice).
Based on this quick article, https://softwarekeep.com/help-center/what-is-gstatic-com#:~:text=Gstatic%20is%20a%20special%20website,%2C%20pictures%2C%20and%20style%20sheets. It feels like just allowing all of gstatic is a bit of a security nightmare. I'd push back and have them identify the parts of gstatic they actually need for their website to work and allow those.
Alternatively, if this application needs a cdn but is only intended for local hosting in the secure network, perhaps a locally hosted cdn could be a good idea.
Without knowing the security in place it's hard to do much beyond give general maybe this or that.