Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats. Users expect that the sites and services they rely on are using best practices when it comes to security. But are they?
To better understand web application security posture, BitSight researchers examined the usage of Content Security Policy (CSP) across the global Internet since 2017. CSP is a W3C recommended security standard that “defines a mechanism by which web developers can control the resources which a particular page can fetch or execute, as well as a number of security-relevant policy decisions.” The technology is about 10 years old, and had 3 versions over this time. All major Internet browsers implement CSP.
CSP is designed to prevent cross-site scripting (XSS), clickjacking, “Man in the Middle” attacks, and other code injection attacks. XSS has become a common attack vector for malicious actors to target web applications and their private data. The threat and dangers of XSS include stealing credentials, sessions, or delivering malware to the victim. In recent months, attackers operating under the “Magecart” group have utilized hacking techniques like to inject malicious code into websites to steal data. Organizations like British Airways who failed to implement basic steps to reduce risk from these attacks have faced significant fines for their failures.
With new risks in play, BitSight researchers wanted to evaluate whether organizations are actually implementing CSP and how that has changed over time. In summary, BitSight researchers found:
BitSight is able to assess CSP implementation by continuously monitoring global web application security issues. We can assess over time, at Internet-wide scale, the implementation and evolution of adoption of technologies dedicated to offer better security to web applications -- including CSP.
BitSight researchers studied the evolution of CSP from 2017 until the end of May 2020. The study includes 9 billion successful HTTP responses observed, making an average of 7 million observations a day. Of these observations one third were obtained from web applications using TLS/SSL.
This study includes overall usage of CSP and how we see it across different dimensions.
Since 2017, there has been an increase in HTTP daily responses that include the Content Security Policy header or HTML meta tag. In 2017, only 1.5% of records were observed to have the CSP header; this is now 6.3%.
If we aggregate this data by month, we see that almost 5 million web applications use CSP now. These web applications either are from corporate websites or from network devices.
In examining CSP presence by industry sector, most sectors appear to adopt CSP at a similar rate over time. We see consistent and steady adoption rates of CSP across all of the sectors that BitSight tracks.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The study suggests that the larger an organization is, the more likely is to use CSP on web applications.
When seen at common subdomains we see only a small increase in the ratio of usage.
However, shop., vpn. and blog. have a bigger presence than other names.
|
|
|
|
|
|
|
|
With these results, we took special attention to the VPN services, and we detected several major vendors releasing new versions of their devices or operating systems including the CSP on web applications.
The Internet wide survey CSP can’t be done without looking at the part of the Internet that common people and companies use daily. BitSight researchers looked at the most famous and used websites and services in the World to examine the prevalence of CSP usage on those websites.
We divided websites on 3 slots based on a top usage ranking:
Some of the best known domains and leaders on e-commerce, paying services, social media have a large ratio of CSP presence. We also observed that some of the companies that saw a large influx of global usage during the pandemic have responded to implement CSP.
However, the deployment of this technology can’t yet be seen as the rule or a common best practice followed by the top sites.
On the technical side, we also checked how well constructed and safe are all CSP policies published by web applications. From the published Content Security Policy, only 2% can be considered totally safe and perfect.
The reasons behind some of imperfect CSP policies are mainly the usage of unsafe inline and eval scripts.
Finally, BitSight examined our Customers and tried to understand how they are adopting the Content Security Policy and compared the adoption rate to broader Internet adoption. We found that BitSight customers are adopting CSP at rates that are significantly higher than the global Internet.
Though the adoption of CSP has increased over the last 3 years, there is clearly more work that must be done. Attackers continue to exploit vulnerabilities that could be mitigated by deploying CSP. While larger organizations and a number of the most popular websites are adopting CSP, gaps still exist in broader adoption rates. BitSight is proud that our customers are adopting CSP at a rate higher than the global Internet. However, more organizations will need to adopt CSP in order to reduce the risk that customer data is exposed to attackers. Additional work is required to explore legal and policy recommendations that would improve the adoption rate of CSP.
Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year...
A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has...
Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats. Users expect that the sites and services they rely on are...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469