A 360 degree view of web security

February 25th, 2019

Tala has spent the last year and a half talking to enterprises about how they are protecting their web applications. All the enterprises that we talk to agree on the need for a next-generation web security platform, but we find that only the really sophisticated teams have thought this through carefully.

If you're still wondering why web security needs to change, read my earlier blog on this topic.

The framework I'm presenting here is work-in-progress and is a result of numerous customer conversations. Think about this as a way to either identify gaps in your existing web application security posture or a framework to work on a short-medium progress. I personally find it particularly useful because it helps me guide how the Tala team is building out our solution and how we communicate and value we bring.

The 360 Degree Web Security Framework

There are 3 spokes to this 360-degree view, each representing a critical functionality and a potential vector for attack.

If you're an info sec leader within an enterprise, sit down with your team and talk about how your current security posture stacks up against this framework. Start with assessment and then implement the right solution.

Internal Servers. These are servers that are under your organization's control and host code and content that serves your web users.

  • Assess: Do you have a handle on the code and content you're sending? Do you understand the use of in-line scripts vs. externally loaded scripts? What information are you collecting? Are there vulnerabilities?
  • Detect/Protect/Alert: If my server or code has been compromised, what security controls do I have in place to detect, protect and alert?

Third-Party Servers. These represent sources of third-party javascript, common development libraries, images, fonts, style-sheets etc., coming from CDNs, third-party service providers and the like.

  • Assess: Who are these 3rd parties? What is their reputation? What information are they collecting? What code and content are they sending? Have they been compromised before? Are there vulnerabilities? How many of these scripts are static vs dynamic?
  • Detect/Protect/Alert: If there's a compromised third party server or third party JavaScript, what security controls do I have in place to detect, protect and alert?

Client Devices. These are the user devices, PC or mobile, that are connecting your web assets and using the functionality you are offering.

  • Assess: What is the hygiene of the client device? Is there malware, trojans etc.? Are there malicious extensions, ad injections? Is there a DOM based attack?
  • Detect/Protect/Alert: If there's a compromised client device, what security controls do I have in place to detect, protect and alert?

Drop me a note or comment with your thoughts.