The ecommerce economy continues to grow with nearly $3.5 trillion spent in 2019. Website owners have an obligation to protect their sites, their data, and their customers to ensure the integrity of online transactions. They face increasing pressure to safeguard against browser-side attacks like Magecart.
When Magecart attacks first began back in 2015, they primarily targeted open-source Magento e-commerce platforms. Today, no online shopping platform is safe. In fact, one multi-functional script was found to have been coded to collect data from an incredible 57 different payment platforms. These attacks are part of a massively growing trend of targeting browser-side website vulnerabilities to launch JavaScript card skimming attacks. There is clearly a lot at stake.
Ultimately, trust matters in ecommerce. Without it, customers will alter their purchase preference. According to a recent survey, 62% of consumers have abandoned an online transaction due to concerns over security. As such, website owners must do all they can to ensure the integrity of ecommerce. Despite these concerns it seems security is lagging as evidenced by Dark Reading publishing that 2 million websites are infected with skimmers on the cusp of the holiday shopping season,
Understanding that security fosters trust, a Shopify partner recently offered a number of recommendations for ensuring website security. Shopify operates as the world’s 2nd largest ecommerce platform and the set of prescriptive advice for ensuring the security and integrity of online commerce provides a good framework for website owners to consider as they endeavor to secure their web assets. The following recommendations have been extracted directly from the article.
| Feature | Explanation |
| Security must be part of the development process |
Security should integrate with CI/CD pipelines and provides risk analysis before deploying in production environments |
| Use a modern framework that handles security automatically |
Consider automation to assist customers with deploying industry-standard security functionality |
| Avoid typical XSS mistakes |
Content Security Policy (CSP) covers a wide range of XSS attacks |
|
Consider Trusted Types |
Trusted Types safeguard against XSS attacks by allowing the lock down of dangerous injection sinks. |
| Consider using textContent instead of innerHTML |
Identify all uses of innerHTML within the web app and replace with textContent |
| Compartmentalize your application |
Website architecture dependent |
| Be careful when using Google Tag Manager |
Define the relationship/ownership of Tag Management between organizational security and marketing functions |
| Be more selective with third-party scripts |
Create and continuously monitor a comprehensive inventory of third-party scripts |
|
Audit your dependencies |
Website architecture dependent |
| Use Subresource Integrity for third-party CDN hosting |
SRI provides a hashing function to ensure site integrity |
| HTML encoding is not enough |
Protect against XSS |
| Implement CSP |
CSPs offer standards-based security defined as sophisticated whitelists for effective security. CSP is best when used in conjunction with other security mechanisms. Recently, the PCI Council |
| Be mindful of what you’re exposing |
Create an architecture and integrations map of user data that is exposed to third-parties |
The recommendations above are a good starting point for implementing website security. However, many organizations can become quickly overwhelmed with the perceived complexity of some of these recommendations. As such, considering a vendor that can assist with the activation of these capabilities can accelerate deployment of this key functionality and reduce the administrative burdens on often over-burdened staff.
Tala Security is such a vendor and protects modern websites and web applications from critical and growing threats, such as cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. Tala prevents attacks by automating the deployment and dynamic adjustment of standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards.
The activation of these browser-native security controls provides comprehensive security without requiring any changes to the application code and with almost no impact to website performance. Tala’s product is powered by an AI-assisted analytics engine that evaluates over 50 unique indicators to automate the generation, implementation and updating of security. Tala’s product also provides customers with streamlined alert analytics and incident management. Today, Tala serves large providers in verticals such as financial services, online retail, payment processing, hi-tech and fintech.
Tala offers a compelling set of capability for immediately addressing the above-referenced website security capability set.
