Published on February 25th, 2019
Written by Aanand Krishnan, CEO and Founder of Tala Security

Tala has spent the last year and a half talking to enterprises about how they are protecting their web applications. All the enterprises that we talk to agree on the need for a next-generation web security platform, but we find that only the really sophisticated teams have thought this through carefully.

If you're still wondering why web security needs to change, read my earlier blog on this topic.

The framework I'm presenting here is work-in-progress and is a result of numerous customer conversations. Think about this as a way to either identify gaps in your existing web application security posture or a framework to work on a short-medium progress. I personally find it particularly useful because it helps me guide how the Tala team is building out our solution and how we communicate and value we bring.

The 360 Degree Web Security Framework

There are 3 spokes to this 360-degree view, each representing a critical functionality and a potential vector for attack.

If you're an info sec leader within an enterprise, sit down with your team and talk about how your current security posture stacks up against this framework. Start with assessment and then implement the right solution.

Internal Servers. These are servers that are under your organization's control and host code and content that serves your web users.

  • Assess: Do you have a handle on the code and content you're sending? Do you understand the use of in-line scripts vs. externally loaded scripts? What information are you collecting? Are there vulnerabilities?
  • Detect/Protect/Alert: If my server or code has been compromised, what security controls do I have in place to detect, protect and alert?

Third-Party Servers. These represent sources of third-party javascript, common development libraries, images, fonts, style-sheets etc., coming from CDNs, third-party service providers and the like.

  • Assess: Who are these 3rd parties? What is their reputation? What information are they collecting? What code and content are they sending? Have they been compromised before? Are there vulnerabilities? How many of these scripts are static vs dynamic?
  • Detect/Protect/Alert: If there's a compromised third party server or third party JavaScript, what security controls do I have in place to detect, protect and alert?

Client Devices. These are the user devices, PC or mobile, that are connecting your web assets and using the functionality you are offering.

  • Assess: What is the hygiene of the client device? Is there malware, trojans etc.? Are there malicious extensions, ad injections? Is there a DOM based attack?
  • Detect/Protect/Alert: If there's a compromised client device, what security controls do I have in place to detect, protect and alert?

Drop me a note or comment with your thoughts.

Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus. Aanand spent several years in investment banking at and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

Find Aanand on LinkedIn


Sign up for our Newsletter

Hand-picked security content for security professionals.