Tala Security, the provider of security solutions protecting enterprise websites and web applications against advanced client-side attacks like Magecart, today announced the Tala 2019 State of the Web Report. The report, which tested U.S. websites within the Alexa 1000 ranking, educates enterprises about the critical and under-recognized security threats related to their web assets and the third party vendors that support them.
In August, the PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC issued a joint bulletin to address the growing threat of online skimming to payment security. The vulnerabilities specifically leveraged to launch these accelerating attacks are the main focus of this data analysis. Raising awareness of the critical website security flaws identified in the report are its main goal. “These attack techniques are of increasing significance to the retail and hospitality industry…It is important that businesses grow in their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them,” stated Carlos Kizzee, Vice President, Intelligence, Retail and Hospitality ISAC. “We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”
Key findings from the Tala 2019 State of the Web Report highlight that the majority of global brands fail to deploy adequate security to guard against client-side attacks, including:
- 98 percent of websites use forms to collect PII and financial data from the user. This form data is defined by the website owner’s code architecture to be purposefully sent to an average of 1.6 domains. However, in reality, due to the reliance on third-party integrations, form data is exposed to an average of 15.7 third-party domains. In other words, user form data is exposed to an order of magnitude more domains than intended by the website owner.
- 94 percent of website operators that deploy CSP have implemented a set of policies that are not capable of guarding against client-side attacks. CSP and other standards-based security implementations exist but deploying these at scale requires substantial administration and has been proven challenging.
“The number one enemy of enterprise website security is lack of awareness about what’s ‘under the hood’ from an integration and architecture standpoint. This is basically a website’s ‘supply chain’,” said Aanand Krishnan, Founder & CEO of Tala Security. “The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services that have not been properly vetted. While Magecart is the most well-known, there are many other attacks that leverage client-side vulnerability. It’s imperative that organizations keep security top-of-mind and expand their perspective on what has become a pervasive attack vector – the organization’s website.”
For each of the Alexa 1000 websites, Tala used its analysis engine, which evaluates 50 unique indicators of a web page’s architecture and integrations to document code, content and data change on the website. The findings represented in the Tala 2019 State of the Web Report are the result of aggregate study of the Alexa 1000 to define statistically relevant insights that indicate mass vulnerability to client-side website attacks such as cross-site scripting (XSS), Magecart, user data leakage, content integrity attacks, ad injections and session redirects. These vulnerabilities are capable of significantly impacting the secure operation of nearly every website included in the study.
Download the Tala 2019 State of the Web Report here: https://go.talasecurity.io/state-of-the-web-report-2019
About Tala Security
Tala Security protects modern websites and web applications from critical and growing threats, such as cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. Tala defends against such attacks by automating the deployment and dynamic adjustment of browser-native, standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards. The activation of browser-native security controls provides comprehensive security without requiring any changes to the application code and with almost no impact to website performance. Tala’s product is powered by an AI-assisted analytics engine that evaluates over 50 unique indicators of a web page’s behavior. The analytics engine provides comprehensive risk analysis and enables Tala to automate the generation, implementation and updating of browser-native security policies. Tala’s product also provides customers with alert analytics and incident management. Tala serves large website operators in verticals such as financial services, online retail, payment processing, hi-tech, fintech and education. Learn more at http://www.talasecurity.io