“The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources,” said Aanand Krishnan, founder and CEO of Tala Security. “It’s imperative that organizations keep security top of mind and pay much closer attention to what has become a pervasive attack vector.”
While 30 per cent of the websites analysed had security policies in place, only 1.1 per cent were found to have security in place that was effective.
Jonathan Knudsen, the senior security strategist at Synopsys, said that research by the company showed the average commercial application has well over 400 third-party open-source components.
He explained “While the research conducted by Tala Security might identify 32 independent vendors, when looking at any software supply chain, it’s important to look not only at the known vendors but also at the usage of open-source software in the final product or service. After all, it’s impossible to patch something you don’t know is there.”
He also claimed it is “hardly surprising that the research found that the average website has content from 32 third-party vendors” as modern software is more assembled than it is written, with useful chunks of functionality often coming from open-source, third-party software components and interactions happening via APIs with multiple other systems.
“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”