Report Surfaces Web Insecurities
A report published by Tala Security, a provider of tools for securing browser sessions, suggests an increased level of integration between web services has resulted in applications that are significantly less secure than most IT organizations appreciate.
Based on an analysis of the 100 websites identified by Alexa Internet, a web traffic analysis subsidiary of Amazon, the report finds the average website includes content from 32 third-party JavaScript vendors. In fact, 58% of the content that displays on browsers is delivered by third-party JavaScript code, most of which is surfaced without IT teams being able to apply any cybersecurity controls.
The Tala Security report finds only 30% of the websites analyzed had implemented security policies, with only 1.1% of websites being found to have effective security in place.
The report also finds 92% of websites expose data to an average of 17 domains, including credit card transactions and personally identifiable information (PII) data such as credentials. The analysis indicates this data is exposed to nearly 10 times more downstream domains than intended by the website owner.
A total of 97% of websites are using JavaScript functions such as cross-site scripting that have already been shown to be injection points widely employed by cybercriminals to compromise web applications, the report also finds.
Tala Security CEO Aanand Krishnan said the report makes it apparent that despite increased awareness of cybersecurity, many organizations continue to be victimized by attacks that successfully harvest credit card data.
In fact, because of all the Javascript integrations required, the greater the number of applications that are deployed the more pressing the problem becomes. Most IT organizations have no way of knowing whether any service they are tapping into is secure because they lack visibility into the overall software supply chain, noted Krishnan.
Given the current increased dependency on digital business processes in the wake of the COVID-19 pandemic, it’s not feasible for IT organizations to roll back applications. However, there is a clear need to ensure the security controls that are made available in most modern browsers are enforced, said Krishnan.
In theory, at least, adoption of best DevSecOps processes should lead to more of those controls being enforced. Unfortunately, DevSecOps is still a nascent trend. Cybersecurity teams are still pretty much on their own when it comes to ensuring the appropriate cybersecurity controls have been put in place. Given the rate at which new applications are being added to websites, that’s a daunting challenge. As a result, many organizations are betting the revenue they gain via the web outweighs any of the potential risks. However, the penalties associated with mishandling sensitive data are rising as well. It may now only be a matter of time before privacy regulations alter the risk-versus-reward equation surrounding web application security to the point where a fundamental change in behavior finally occurs.
