Published on November 15th, 2019
Written by Sanjay Sawhney, Co-Founder and VP of Engineering

Web Security Standards

You already know that there have been some major credit card skimming attacks in the news, like the one at British Airways last year. Here’s something you might not know: credit card skimming by Magecart malware has been detected on more than 2 million websites. That means the average consumer has already come into contact with dangerous websites and will again in the future.

And it’s not just Magecart. Web-based attacks on eCommerce sites are not only increasing every year, but they’re also expanding in scope and growing to include a greater range of tactics. Businesses now have to find ways to protect against XSS, clickjacking, crypto mining, ad injections, SSL stripping, and many other types of attacks.

What a Data Breach Does to Your Business

A breach would be devastating to your company in more ways than one. First, there are the fines. They’re increasing—British Airways paid an unprecedented $230 million for allowing the data of 500,000 customers to be breached. Secondly, losing consumers’ personal data, be it credit card numbers, passwords, or health data, is a great way to destroy the trust your customers have in you. A breach will hurt your brand and drive away customers. Finally, even if a customer’s personal data isn’t stolen, the malware could cause a poor user experience, leading to abandoned shopping carts and a loss in revenue.

We know that your team has more security priorities than hours in a day. Attacks of all types are on the rise and it can be hard to know which to focus on first. Remember that your website is the lifeblood of your business and put protecting it with standards-based security on the top of your list for 2020.

Solving the Problem with Standards-Based Security

There’s no shortage of solutions for website security. For example, you might write good JavaScript to fight malicious JavaScript or rely on a web application firewall (WAF). There are also many vendors trying to sell you proprietary tools.

Standards-based security solutions like content Security Policy (CSP), Sub-resource Integrity (SRI), HSTS, iFrame sandboxing, referrer-policy and others protect web applications as they execute on client-devices. Deploying these standards is the best way to protect your business from financial and reputational loss while maintaining a website that runs quickly and smoothly.

Performance Matters

The only way to completely eliminate the risk of cyberattack would be to shut down your website. Obviously, you can’t do that. But many website security solutions are asking you to do something almost as bad: slow down the performance of your website significantly. An eCommerce site that runs like websites did in 1995 will quickly be abandoned by paying customers. In other cases, the website will run well—until there’s an error in your solution and the whole site goes down. We call that a single point of failure (SPOF), and it can lead to the loss of revenue in a matter of minutes.

Web security standards are the best way to find that perfect balance between protecting your assets and maintaining high-performance standards.

Future-Proof Your Business

A primary problem with most solutions is a lack of flexibility. Attackers change their tactics and technology constantly. When a new type of malware gets some public attention, you’ll suddenly hear about a lot of proprietary solutions that can combat that particular issue. Purchasing those solutions means that you’re investing in solving yesterday’s problem. Tomorrow’s hacker will be coming at you from a different angle. Standards-based security offers the flexibility to stand against attack methods old and new.

Furthermore, web security standards are browser-independent. Browsers can be changed with each new version release, potentially forcing you to change your code for each update of each browser. But all the major browsers support standards like CSP. Standards-based security frees you up from relying on browser manufacturers.

Don’t Be A Guinea Pig

Web security standards are a proven technology. They’ve been around for years, and using them puts you in the good company of businesses like Google, PayPal, GitHub, and other tech leaders. Your data is too valuable to leave in the hands of an untested solution.

Too many companies aren’t taking website security seriously enough. The stakes are incredibly high—a single breach could cost you millions of dollars and the reputation of your company. At the same time, we know you need to maintain the high performance of your digital properties and save yourself from repeated manual fixes when the next big cyber threat comes along.

Standards-based security policies are the most effective and pain-free way to protect your business from the financial loss of a data breach in the future and today. Rather than being a guinea pig for every new security solution and reacting too late to every new cyberthreat, adopt a more proactive and adaptable form of security.



Sanjay Sawhney, Co-Founder and VP of Engineering

Sanjay Sawhney, Co-Founder and VP of Engineering

Sanjay Sawhney is the co-founder and VP of Engineering of Tala. Sanjay is an experienced, engineering leader, technologist and entrepreneur who has worked for 25+ years in various engineering capacities in both well-established companies as well as startups. Most recently, he spent 9 years at Symantec managing Symantec Research Labs, one of the key innovation engines of the company. Prior to joining Symantec, he co-founded two companies and led their engineering – Neoscale Systems, a data encryption company, and Ukiah Software, a network security company. Earlier in his career, he has worked in various engineering positions at Novell. Sanjay received a B.Tech. in Electrical Engineering from Indian Institute of Technology, Delhi, and an M.S. in Computer Science from University of California, Santa Barbara.

Find Sanjay on LinkedIn


Sign up for our Newsletter

Hand-picked security content for security professionals.