According to Tala Security's Global Data at Risk – 2020 State of the Web Report, the fact than an overwhelming majority of the world's most visited websites are still vulnerable to common client-side attacks indicates that a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.
The most alarming finding of the study was that forms in 92% of the websites leaked PII, credentials, card transactions, and medical records to an average of 17 domains, indicating that unlike what Internet users believe, data entered in website forms are not restricted to the website itself or to the payment clearing house, but can also be accessed by over a dozen other domains.
“Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources. It’s imperative that organizations keep security top-of-mind and pay much closer attention to what has become a pervasive attack vector.”
CISOs must engage directly with dev teams to identify and secure client-side applications
Commenting on Tala Security's findings, Tim Mackey, principal security strategist at Synopsys CyRC, says that unlike the websites of only a few years ago, modern websites are powered by browser-side scripts accessing data from server-based APIs, including those of third parties.
"If the security team isn’t keeping up with the development practices of their web teams, they could easily miss when their teams moved from server-side page layout to client-side rendering. Such a miss represents an opportunity for attackers who’ve developed tool kits targeting websites using these client-side development paradigms, and who have successfully used their tool kits against major brands.
"Addressing weaknesses in development paradigms like client-side applications requires CISOs to engage directly with development teams to understand when shifts in technology selection occur. Since a shift in platform, like adopting client-side development practices, likely won’t result in any procurement activity, it could easily be overlooked if a business triggers security reviews based on vendor selection.
"Once client-side applications are identified, the next step is to conduct a review of how browser security standards are being used and what scripts are expected to be used on each web page. Armed with this client-side software bill of materials, processes can then be created to ensure security updates are performed on the scripts, reviews of any data sent by scripts can be performed, with an eye towards monitoring when changes in scripts are expected.
This latter element is critical as client-side web applications rely heavily upon third-party APIs which will update out of band from their clients – a process that could render the application unstable if not carefully monitored. As with the usage of any third-party code, awareness is key to compliance," he adds.