I saw an interesting statistic recently that 79% of developers don’t update third-party modules in their code. I knew the number was high but I didn’t quite realize it was quite that high! The number of plugins and modules that are introduced in modern code increase functionality but also causes issues with an increased attack surface.
Whether you realize it or not, you’re almost always using some kind of third-party module in your day-to-day life. When you visit a website, there are any one of several tiny little software programs running in the background to help the website operators display content, track analytics, or serve ads or other things to visitors. Each of these is important to the operation of the site because they allow users to work more efficiently in many cases. However, for website operators, they can be a headache due to security concerns.
If the developers are never updating their modules, how can you ensure that you’re not open to other kinds of attacks? Do you even have the capability of determining what the version of the module or plugin on the site is? Worse yet, there has been a growing concern around companies buying these modules from their original developers to inject cash into the project, only to find ways to monetize the software in ways that directly clash with users’ privacy concerns. How can you protect yourself from these kinds of hidden exploits?
Detecting The Problem at the Source
A few months ago I had the opportunity to sit down and talk to the team at Tala Security. They are acutely aware of the issues that I’ve mentioned above and they know how to solve them. They have been building security solutions designed to combat the insecure data exposure that often comes from Javascript on a website or plugins that can expose your data when you visit.
The product, Tala Detect, has a simple layout. It models the way that data is shared from your site and ensures that the modules and plugins you are using are sending that data to the correct appropriate places. It then uses that baseline to ensure that nothing deviates from the model.
This simple model allows them to notice immediately when something is amiss. Did one of your plugins randomly start sending data to a server in a country it has never tried to contact before? Tala Detect can alert you with details around the plugin, the destination, and provide context around the exposure. It could be a newly discovered exploit that someone is actively trying to take advantage of.
The model also allows you to determine if the change in behavior is intended or not. The module could be actively exploited by a malicious actor. It could also be the case that the plugin author has decided to start selling your data to a third-party service without proper notification or by burying the changes in a new EULA. Tala Detect can see these changes and alert you when they happen to allow you to disable that software until you can gauge the impact on your visitors. You don’t want to find yourself in the middle of a dispute between one of your plugins and the angry users whose data has been sold without their consent.
Protecting Your Privacy
Tala Detect is just one part of the equation. Tala Protect gives you the ability to act on the information you gather with Tala Detect and do something about it. Tala Protect prevents modules from sending data to unauthorized locations. It can also verify the signatures of modules when they’re updated to ensure that malicious versions of the code haven’t been slipped into the build process.
Given the rise of supply chain attacks in 2021, this ability cannot be understated. It’s not enough to download from trusted sources. You have to verify those sources over and over again to ensure that someone hasn’t breached your partner and decided to exploit you through them. If you don’t have the capability to shut down these kinds of active attacks, you’re going to find yourself losing customers and opening yourself up to huge amounts of liability through no fault of your own from the software side. In a world where zero trust is the name of the game, you have to make sure to extend that zero trust mentality even to things you think you can inherently trust.
Bringing It All Together
The modern module-based mentality of building systems increases the flexibility and capability of those systems beyond anything we could have possibly hoped to achieve on our own. However, all of these extra moving parts also give us more things to consider when we’re trying to secure our platforms. To corrupt a quote from Thomas Jefferson, “The price of security is eternal vigilance.” We must always be on guard that the things we are trying to leverage aren’t also trying to exploit us in return. Programs like Tala Detect and Tala Protect allow us to know when that happens and prevent it from causing us and our users issues. Thinking you’re safe and knowing that you’re safe are two different states. Make sure they’re not incompatible.
For more information about Tala Security and their solutions, make sure you check out their website at http://talasecurity.io.