Published on October 21st, 2019
Written by Aanand Krishnan, CEO and Founder of Tala Security

A recent Tala Security study highlighted that a startling number of websites are not effectively deploying available standards-based security to safeguard against the growing volume of browser-side attacks. The website supply chain—the integrations that comprise the “under the hood” architecture of a website—is increasingly vulnerable to attacks. Today, it seems that too few companies are taking this threat seriously.

How are websites vulnerable?

Websites leverage external sources, using third-party plugins that rely on JavaScript and create unmanaged connections to deliver website richness including images, stylesheets, fonts, media and analytics. These integrations create distinct danger as they enable an attack vector that attackers have heavily targeted. In fact, skimmers have been spotted on nearly 2 million websites. According to Tala’s study, the average website in the Alexa 1000 is reliant on 31 third parties, and 20% of websites rely on 50 or more. Further, nearly two thirds of the external JavaScript code executed in the browser is either written by or managed by third parties. Externally-loaded JavaScript files are one of the primary vectors of attack used by hacker groups like Magecart. 

Magecart refers to cyberattacks in which hackers write malicious code into third-party sites to steal personally identifiable information (PII) and customer payment data. These attacks have proven so successful that they have infected many large-scale online retailers, such as Ticketmaster, British Airways, Newegg, and Sotheby’s. Digital card skimming has become attractive to hackers as it is relatively simple, scales extremely effectively and has a high chance of reward.

Other malicious attacks besides skimming include XSS (cross-site scripting), formjacking, keylogging, screen scraping, phishing, ad injection, and many other forms of attack.

What are the benefits of web security standards?

Protection of customer data from unauthorized access

In this digital era, our personal information is more vulnerable than ever before. Identity theft and data breaches are a constant threat to our personal finances, our credit scores, and our livelihoods. Companies, presenting a website for commerce or data collection assume the obligation of making sure that the experience is protected and that customer financial data and PII are secured. Website owners’ code architecture is purposely designed to be sent to one or two third party domains, but due to reliance on these third-party integrations, form data is exposed to an average of 15.7 domains. Today, attackers are significantly impacting this important electronic trust relationship.

Stakeholder confidence in your business

Once a company has had a data breach, it is hard to regain the confidence of your stakeholders. In the case of major hacks, such as British Airways 500,000 hacked records in 2018, the company name often becomes synonymous with the breach. In that case, the company faced a $230 million fine, the largest penalty ever under EU data protection laws. Such black eyes are hard to overlook.  Brand damage as a result of an attack can cripple a business in the short and long terms. Consider the valuation tumbles incurred by Yahoo, Marriott and Equifax resulting directly from poorly-managed responses to hacks.

Improved company credentials

Today, the competitive web commerce landscape drive organizations to increasingly rely on these integrations to create richness and provide analytics to continuously tune customer experience. Implementing some of the available standards-based security, including CSP, SRI, HSTS, Referrer Policies can effectively and cost-efficiently enable a website to confidently integrate third-party tools.  

Faster recovery times in the event of a breach

When proper security standards are in place, a data breach can be managed more easily. Developing an information technology disaster recovery plan now can save a lot of headache later—more than headache, it can literally save your business.  


Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus. Aanand spent several years in investment banking at and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

Find Aanand on LinkedIn


Sign up for our Newsletter

Hand-picked security content for security professionals.