Analysis of the Alexa top 1000 websites has revealed a troubling lack of security controls required to prevent data theft and loss through client-side attacks.
“The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources,” said Aanand Krishnan, founder and CEO of Tala Security. “It’s imperative that organizations keep security top of mind and pay much closer attention to what has become a pervasive attack vector.”
Whilst 30% of the websites analyzed had implemented security policies, only 1.1% were found to have effective security in place.
Jonathan Knudsen, senior security strategist at Synopsys, said the compnay’s own research showed the average commercial application has well over 400 third-party open source components. He explained: “While the research conducted by Tala Security might identify 32 independent vendors, when looking at any software supply chain, it’s important to look not only at the known vendors, but also at the usage of open source software in the final product or service. After all, it’s impossible to patch something you don’t know is there.”
He also claimed it is “hardly surprising that the research found that the average website has content from 32 third-party vendors” as modern software is more assembled than it is written, with useful chunks of functionality often coming from open source, third-party software components and interactions happening via APIs with multiple other systems.
“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”
Source: Infosecurity Magazine