RH-ISAC BLOG

Tala Security’s 2019 State of the Web Report

Author: Tala Security

The Tala Security 2019 State of the Web report is here! The report is designed to educate enterprises about the significant and under-recognized security challenges related to their web assets. Tangible data, risk analysis and insights are presented as gleaned from the most frequented websites in the US defined by the Alexa 1000. 

Key findings explore the vulnerabilities that have made accelerating attacks possible and highlight that the majority of global brands fail to deploy security to guard against these client-side attacks.

 Tala Security reviewed the top 1,000 websites and provide in the report revealing insights, observations and data, including:

  • The average website relies on 31 third parties. Nearly two-thirds (~63%) of the JavaScript code executed in the browser is either written by and/or managed by third-parties.
  • 98% of websites use forms to collect PII and financial data from the user. This form data is intended to be shared with an average of 1.6 domains. In reality, due to modern website architecture and the reliance on 3rd party integrations, form data is exposed to an average of 15.7 third-party domains. In other words, user form data is exposed to an order of magnitude more domains than intended by the website owner.
  • Only 27% of websites deploy security like content security policies (CSP).  Standards-based security capability like CSP safeguards against vulnerabilities introduced by the significant reliance on JavaScript and limit unauthorized access and distribution of form data.
  • CSP and other standards-based security implementations exist but deploying these at scale requires substantial administration and has proven challenging. This is evidenced by the fact that only 2% of website operators deploy CSPs capable of preventing client-side attacks. 
  • Other standards-based security frameworks are natively available in virtually all modern fixed and mobile browsers. However, deployments amongst the Alexa 1000 are surprisingly low.
    • HSTS – 42% Deployment
    • Referrer Policy – 7% Deployment
    • Subresource Integrity – 4% Deployment

As this study indicates, only a small fraction of the world’s top websites implement browser-native, standards-based security controls. CSP has recently been recommended for deployment by the PCI Council and RH-ISAC to safeguard against Magecart-style attacks in the recent joint bulletin on Threat of Online Skimming to Payment Security.

Download the full report here: https://go.talasecurity.io/state-of-the-web-report-2019

A comprehensive risk analysis and Magecart simulation can help customers understand and guard against these types of attacks.

Website owners interested in understanding their risk exposure to Magecart and other client-side website vulnerability can reach Tala Security at websitenotify@talasecurity.io.