This year’s holiday shopping season is much different compared to years’ past, with consumers making the vast majority of their purchases online. Black Friday proved this trend, with consumers spending $9 billion on U.S. retail websites, a 22% increase over the previous record of $7.4 billion set on Black Friday 2019.
For retailers, this rapid shift to e-commerce means significant opportunity to increase sales margins, in an effort to end the year strong as COVID-19 continues to rattle the industry. However, this opportunity also comes with significant risk, as malicious actors are highly-motivated to exploit holes in retailers’ digital platforms for financial gain this holiday shopping season. And with Verizon’s 2020 Data Breach Investigations Report finding that vulnerable web apps are a primary cause of retail data breaches, retailers must prioritize the security of their e-commerce applications and software to ensure a better, safer online experience.
To achieve strengthened eCommerce software security, here are four best practices retailers should implement, not just throughout the holiday shopping season, but year-round.
Perform regular security scans
Retail has been a testing ground for digital transformation for quite some time, to the point where today, it’s required to gain a competitive advantage. In fact, 100% of retailers have either developed or are planning to develop a digital transformation strategy this year, according to BDO’s 2020 Retail Digital Transformation Survey. COVID-19 has only accelerated this massive digital shift within the industry, forcing retailers to double down on e-commerce as their primary means of business. This has resulted in the introduction of new software, applications and technologies as retailers fine-tune the digital customer experience. While there’s a race to roll out new technologies, security should never fall by the wayside as a result.
As these new innovations - such as web and mobile applications - continue to be introduced, it’s important for retailers to perform early and regular static application security testing scans during software development. For brands who already have e-commerce applications in place, regular security scans must be conducted on a consistent basis for each new update while the software is being developed in-house, not after it has been deployed online.
Understand the risk of open source before it’s too late
It’s imperative that brands manage their software risks when using open-source libraries within their home-grown retail applications. If a vulnerability is discovered in a retailer’s use of open source software, they must work quickly to patch that vulnerability or find a more secure option.
Additionally, retailers should not only assume the responsibility of their own security, but also that of their customers. With open source libraries and components likely in use within many, if not all, e-commerce applications, software composition analysis is critical to managing open source vulnerability risks, license risks and outdated libraries no longer being maintained by the developer community. Retailers must address open source risks early on in the software development phase -- eliminating the potential risk of having to pay massive fines and penalties as a result of a breach caused by a vulnerable open source component in the future.
Don’t overlook API risks
Today, nearly all applications and pieces of software are powered by application programming interfaces (APIs). Backend APIs enable technology providers, manufacturers, suppliers, retailers and shippers to communicate and share data with one another, while consumers unknowingly are using APIs themselves when making purchases from mobile apps. In a sense, APIs are the backbone of e-commerce innovation.
For organizations who depend on APIs for retail operations, a helpful resource to refer to is the OWASP API Security Top 10 list of risks. Make it a priority to understand these top risks and associated vulnerabilities, plus analyze current prevention methods against them. Typically, mobile apps using APIs often allow access to an abundance of data that can include personally identifiable information (PII) of customers, since APIs often rely on endpoint filtering from mobile apps themselves. Because of this, APIs and mobile apps have become one of the biggest targets for attackers. Retailers must regularly evaluate their own API security approaches, and highly scrutinize their API integrations to ensure that third-party providers are employing the same security standards.
Raise security awareness
Security is a team sport - gone are the days of having the responsibility fall solely on IT departments, software developers or AppSec teams. Security must become everyone’s responsibility in order for it to be effective. This means retailers must instill AppSec awareness and training throughout their entire organization, from the leadership team to seasonal hires and even third-party contractors. Secure software development must be understood by the entire organization - not just developers - to truly protect the brand and its customers.
For developers specifically, secure coding education is needed more than ever before. Some of the most common software vulnerabilities in e-commerce applications today are often the cause of repetitive coding errors that lead to major vulnerabilities. It’s imperative to have real-time, train-while-you-code, training modules embedded into the tools developers use daily to minimize some of these mundane coding mistakes.
As retailers know all too well by the seemingly daily data breach stories, one small security misstep can have major repercussions -- impacting revenues, eroding customer trust and tarnishing long-term brand reputation. As consumers fill their virtual carts this year with holiday gifts, it’s retailers’ responsibility to ensure strong software security protocols are being adhered to not just in December, but year-round. With a few best practices including regular, consistent application security testing, a firm understanding of the risks of open source and API-powered technologies, as well as instilling a security-first culture throughout the organization (one where developers are empowered through real-time, interactive training), retailers can put their best foot forward this holiday season -- and consumers can breathe a sigh of relief knowing they’re part of a safer shopping experience.