Modern web architecture delivers a rich user experience. But it’s also a perfect infrastructure for supply chain attacks. Aanand Krishnan, Founder and CEO, Tala Security, tells us why it matters and what you can do about it.
Today’s websites are essentially a conglomeration of web-enabled assets, a massive global supply chain that nobody really thinks about as such. And that’s a Big Data security and privacy problem with explosive potential. Why?
A significant portion of the sensitive customer data collected by enterprises is entered by the customer themselves, via a web browser. Think credit card details, social security numbers, address, ID, log-ins etc. Most enterprises are doing a fine job of securing that information after the customer has entered it. But what about what’s happening while they’re entering it?
What you don’t know can hurt you
Many website owners seem unaware that the third-party JavaScript integrations powering their rich web experience are simultaneously exposing them to data theft and cyberattack. Whether it’s chatbots, marketing analytics or messaging, 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations – a website supply chain operating outside the owner’s span of control in 98% of websites, according to Tala Security’s Global Data at Risk: 2020 State of the Web Report.
What happens when these integrations share sensitive information with third, fourth, fifth-and-beyond parties outside your organization’s control? Even trusted, whitelisted domains like Google Analytics can be leveraged to exfiltrate data.
And that’s before we even think about cyberattacks like Magecart, credit card skimming, cross-site scripting (XSS): these attacks happen as your customer is entering their sensitive details. What makes them so effective is that they can go undetected for months or even years. Everything happens in the browser (the ‘client-side’), nothing impedes the transaction in any way, so the customer carries on, the retailer receives its payment and no one spots anything. Until they do.
The average website integrates almost 40 third-party JavaScripts, enabling a supply chain that has the potential to become a perfect storm for enterprise data security and privacy.
When it comes to online transactions, trust is everything
- 62% of consumers aren’t confident their personal data is secure with retailers
- 52% of customers who experienced fraud on their card said it left them with a negative perception of the retailer, even when it wasn’t the retailer’s fault
The challenge for all businesses embracing Digital Transformation is that the trust ecosystem inevitably involves third parties: the products and services behind the chatbots, analytics tools and marketing services. Breaches originating from a third party – such as the website supply chain – cost companies significantly more on average, emphasizing the need for enterprises to closely vet the security of companies they do business with, align security standards and actively monitor third-party access. The complexity of this ecosystem is growing all the time:
- 63% of JavaScript code executed in the browser is written and/or managed by third parties.
- Forms, found on 92% of all websites, expose data to an average of 17 domains.
What can you do about it?
The vulnerabilities might be on your website, but the point of execution for all these attacks is in your customer’s web browser. And that’s where you need to go to secure them. The good news is that the same experts who built the modern web – Google, PayPal, W3C – saw these security flaws long before anyone else did and designed security standards and controls to protect against them. They built these same controls into the browser (i.e they’re ‘browser native’) and web application frameworks.
These standards include CSP, SRI, Referrer Policy, Feature Policy, Trusted Types and HSTS. Together, they provide a comprehensive, defense-in-depth web security strategy. Businesses that deploy these controls will be using the same level of security to protect the client-side as web giants like Google.
To really make it count, enterprises should adopt the following best practices:
- Controls should be implemented in multiple layers.
- Implement an active protection methodology that includes W3C and HTML5 standards-based controls. This will minimize third-party JavaScript exposure. There are a number of standards available that together provide unmatched defense in depth for website operators. The logical first step along this path is to deploy Content Security Policy (CSP).
- Prioritize building security into the coding pipeline. Ensuring ‘Secure by Design’ is a much more efficient path than trying to secure a complex web infrastructure that may include thousands of pages and multiple domains is a challenging task.
- Standards can be complex. Explore automation.
Third-party tools have transformed your online presence – but if you don’t secure them, it will all be for nothing. It’s time to recognize the threat posed by the website supply chain before it’s too late.