Prescriptive, Unbiased Website Security Advice

October 23rd, 2019

The ecommerce economy continues to grow with nearly $3.5 trillion spent in 2019. Website owners have an obligation to protect their sites, their data, and their customers to ensure the integrity of online transactions. They face increasing pressure to safeguard against browser-side attacks like Magecart.

iStock-1057253610

When Magecart attacks first began back in 2015, they primarily targeted open-source Magento e-commerce platforms. Today, no online shopping platform is safe. In fact, one multi-functional script was found to have been coded to collect data from an incredible 57 different payment platforms. These attacks are part of a massively growing trend of targeting browser-side website vulnerabilities to launch JavaScript card skimming attacks. There is clearly a lot at stake.

Ultimately, trust matters in ecommerce. Without it, customers will alter their purchase preference. According to a recent survey, 62% of consumers have abandoned an online transaction due to concerns over security. As such, website owners must do all they can to ensure the integrity of ecommerce. Despite these concerns it seems security is lagging as evidenced by Dark Reading publishing that 2 million websites are infected with skimmers on the cusp of the holiday shopping season,

Understanding that security fosters trust, a Shopify partner recently offered a number of recommendations for ensuring website security. Shopify operates as the world’s 2nd largest ecommerce platform and the set of prescriptive advice for ensuring the security and integrity of online commerce provides a good framework for website owners to consider as they endeavor to secure their web assets. The following recommendations have been extracted directly from the article.

Feature Explanation
Security must be part of the development process

Security should integrate with CI/CD pipelines and provides risk analysis before deploying in production environments

Use a modern framework that handles security automatically

Consider automation to assist customers with deploying industry-standard security functionality

Avoid typical XSS mistakes

Content Security Policy (CSP) covers a wide range of XSS attacks

Consider Trusted Types

Trusted Types safeguard against XSS attacks by allowing the lock down of dangerous injection sinks.

Consider using textContent instead of innerHTML

Identify all uses of innerHTML within the web app and replace with textContent

Compartmentalize your application

Website architecture dependent

Be careful when using Google Tag Manager

Define the relationship/ownership of Tag Management between organizational security and marketing functions

Be more selective with third-party scripts

Create and continuously monitor a comprehensive inventory of third-party scripts

Audit your dependencies

Website architecture dependent

Use Subresource Integrity for third-party CDN hosting

SRI provides a hashing function to ensure site integrity

HTML encoding is not enough

Protect against XSS

Implement CSP

CSPs offer standards-based security defined as sophisticated whitelists for effective security.  CSP is best when used in conjunction with other security mechanisms.  Recently, the PCI Council

Be mindful of what you’re exposing

Create an architecture and integrations map of user data that is exposed to third-parties

The recommendations above are a good starting point for implementing website security. However, many organizations can become quickly overwhelmed with the perceived complexity of some of these recommendations. As such, considering a vendor that can assist with the activation of these capabilities can accelerate deployment of this key functionality and reduce the administrative burdens on often over-burdened staff.

Tala Security is such a vendor and protects modern websites and web applications from critical and growing threats, such as cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. Tala prevents attacks by automating the deployment and dynamic adjustment of standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards.

The activation of these browser-native security controls provides comprehensive security without requiring any changes to the application code and with almost no impact to website performance. Tala’s product is powered by an AI-assisted analytics engine that evaluates over 50 unique indicators to automate the generation, implementation and updating of security. Tala’s product also provides customers with streamlined alert analytics and incident management. Today, Tala serves large providers in verticals such as financial services, online retail, payment processing, hi-tech and fintech.

Tala offers a compelling set of capability for immediately addressing the above-referenced website security capability set.

Sanjay Sawhney, Co-Founder and VP of Engineering

Written by Sanjay Sawhney, Co-Founder and VP of Engineering

Co-Founder and VP of Engineering