Modern web architecture delivers a rich user experience. But it’s also a perfect infrastructure for supply chain attacks. Aanand Krishnan, Founder and CEO, Tala Security, tells us why it matters and what you can do about it.
Today’s websites are essentially a conglomeration of web-enabled assets, a massive global supply chain that nobody really thinks about as such. And that’s a Big Data security and privacy problem with explosive potential. Why?
A significant portion of the sensitive customer data collected by enterprises is entered by the customer themselves, via a web browser. Think credit card details, social security numbers, address, ID, log-ins etc. Most enterprises are doing a fine job of securing that information after the customer has entered it. But what about what’s happening while they’re entering it?
What you don’t know can hurt you
What happens when these integrations share sensitive information with third, fourth, fifth-and-beyond parties outside your organization’s control? Even trusted, whitelisted domains like Google Analytics can be leveraged to exfiltrate data.
And that’s before we even think about cyberattacks like Magecart, credit card skimming, cross-site scripting (XSS): these attacks happen as your customer is entering their sensitive details. What makes them so effective is that they can go undetected for months or even years. Everything happens in the browser (the ‘client-side’), nothing impedes the transaction in any way, so the customer carries on, the retailer receives its payment and no one spots anything. Until they do.
When it comes to online transactions, trust is everything
- 62% of consumers aren’t confident their personal data is secure with retailers
- 52% of customers who experienced fraud on their card said it left them with a negative perception of the retailer, even when it wasn’t the retailer’s fault
The challenge for all businesses embracing Digital Transformation is that the trust ecosystem inevitably involves third parties: the products and services behind the chatbots, analytics tools and marketing services. Breaches originating from a third party – such as the website supply chain – cost companies significantly more on average, emphasizing the need for enterprises to closely vet the security of companies they do business with, align security standards and actively monitor third-party access. The complexity of this ecosystem is growing all the time:
- Forms, found on 92% of all websites, expose data to an average of 17 domains.
What can you do about it?
The vulnerabilities might be on your website, but the point of execution for all these attacks is in your customer’s web browser. And that’s where you need to go to secure them. The good news is that the same experts who built the modern web – Google, PayPal, W3C – saw these security flaws long before anyone else did and designed security standards and controls to protect against them. They built these same controls into the browser (i.e they’re ‘browser native’) and web application frameworks.
These standards include CSP, SRI, Referrer Policy, Feature Policy, Trusted Types and HSTS. Together, they provide a comprehensive, defense-in-depth web security strategy. Businesses that deploy these controls will be using the same level of security to protect the client-side as web giants like Google.
To really make it count, enterprises should adopt the following best practices:
- Controls should be implemented in multiple layers.
- Prioritize building security into the coding pipeline. Ensuring ‘Secure by Design’ is a much more efficient path than trying to secure a complex web infrastructure that may include thousands of pages and multiple domains is a challenging task.
- Standards can be complex. Explore automation.
Third-party tools have transformed your online presence – but if you don’t secure them, it will all be for nothing. It’s time to recognize the threat posed by the website supply chain before it’s too late.Click below to share this article