When it comes to securing the web, you can have defense-in-depth or whack-a-mole. Only one of those is future proof and effective, says Tala CEO, Aanand Krishnan.
CSP has been targeted for a little misplaced criticism recently, with most of it focusing exclusively on what it can’t do, as opposed to what it’s actually built to do. Almost all of the criticism misses a key point: that when we talk about CSP today, we’re really talking about CSP+++ the myriad of other browser-native standards the world’s web experts craft and continuously tune that are specifically architected to protect our more powerful, richly functional web:
CSP + SRI + HSTS + Referrer Policy + Feature-policy + Trusted Types + Clear-Site-Data = A comprehensive web security strategy built on the expertise of the web’s leading innovators and developers.
Who wouldn’t want to secure their websites with standards developed by the best minds in the business? Vetted and monitored by organizations like W3C and leading figures in the web security community. It’s little wonder that leading organizations like the PCI Council and RH-ISAC recommend CSP.
Defense in Depth vs. Whack a Mole
Think about it, you’re not just looking to protect your business from Magecart, you need to protect against other client-side attacks like:
- User data leakage
- Content integrity attacks
- Ad injections
- Session re-directs
- Cross-site scripting (XSS)
It makes sense that you’re not only using one technique to protect your business. When you apply a comprehensive set of standards, they complement each other, plugging the gaps to deliver a far wider breadth of protection against a wider range of attacks than just pure Magecart.
Since you’ve adopted this new, wider approach, you’re future-proofed for the day when Magecart or other attackers evolve, and all the approaches developed specifically to safeguard specifically against Magecart fall apart. Better yet, CSP++ is far more resilient to zero day threats than alternative approaches.
As Tala CTO Swapnil Bhalode says, “you need the combination of standards and controls and you need to be future proof because these groups keep evolving. The alternative approach is essentially ‘Whack a Mole' and ‘Security by Obscurity.’'' Although it’s a topic for another day, performance considerations of deploying browser-native, standards-based security make this an even more glaringly obvious choice.
Blocking Data Exfiltration with CSP + SRI
When it comes to blocking data exfiltration attacks (Magecart-style attacks), an accurately configured CSP, managed with continuous updates (like Tala) allows you to effectively control where data is sent from A to B.
This allows you to send form data only to the intended source and prevent a malicious script from sending data to the attacker’s malicious server. For example, if you want to protect login data (username/password), banking data or credit card information, and that data should only be sent to “example.com” and the attacker’s code is trying to simultaneously exfiltrate the data to “magecartexample.com”, a properly configured CSP would block the exfiltration request to the bad server and send real-time attack notification. For additional security, SRI (subresource integrity) would allow you to stop the code from executing altogether.
The Human Factor
One of the greatest challenges to CSP adoption is the human factor. To implement it effectively and really reap the benefits, you have to understand how it works and have the resources required to manage policy tuning and consume alert volumes. Not everyone has the expertise in-house. Tala sees many misconfigured policies as well as policies that fail to deliver effective security.
Fortunately, there’s a really simple solution to this: automate CSP+++. When you let experts like Tala administer CSP and other advanced security policies you can ensure continuous client-side security measures are in place and keep ahead of the ever-evolving threat landscape.
Strength in Depth Wins, Every Time
It’s fair to say that Content Security Policy has evolved into an essential component of any comprehensive, client-side security strategy. Combined with other expert-developed standards such as SRI and others mentioned above, it gives a strength-in-depth response to web security that’s in-step with the web we have today, and the web we’ll have tomorrow.