Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical Security

Four steps to bolster e-commerce software security this holiday season

By Stephen Gates
online shopping
December 14, 2020

This year’s holiday shopping season is much different compared to years’ past, with consumers making the vast majority of their purchases online. Black Friday proved this trend, with consumers spending $9 billion on U.S. retail websites, a 22% increase over the previous record of $7.4 billion set on Black Friday 2019.

For retailers, this rapid shift to e-commerce means significant opportunity to increase sales margins, in an effort to end the year strong as COVID-19 continues to rattle the industry. However, this opportunity also comes with significant risk, as malicious actors are highly-motivated to exploit holes in retailers’ digital platforms for financial gain this holiday shopping season.  And with Verizon’s 2020 Data Breach Investigations Report finding that vulnerable web apps are a primary cause of retail data breaches, retailers must prioritize the security of their e-commerce applications and software to ensure a better, safer online experience.

To achieve strengthened eCommerce software security, here are four best practices retailers should implement, not just throughout the holiday shopping season, but year-round.

 

Perform regular security scans

Retail has been a testing ground for digital transformation for quite some time, to the point where today, it’s required to gain a competitive advantage. In fact, 100% of retailers have either developed or are planning to develop a digital transformation strategy this year, according to BDO’s 2020 Retail Digital Transformation Survey. COVID-19 has only accelerated this massive digital shift within the industry, forcing retailers to double down on e-commerce as their primary means of business. This has resulted in the introduction of new software, applications and technologies as retailers fine-tune the digital customer experience. While there’s a race to roll out new technologies, security should never fall by the wayside as a result.

As these new innovations - such as web and mobile applications - continue to be introduced, it’s important for retailers to perform early and regular static application security testing scans during software development. For brands who already have e-commerce applications in place, regular security scans must be conducted on a consistent basis for each new update while the software is being developed in-house, not after it has been deployed online.

 

Understand the risk of open source before it’s too late

It’s imperative that brands manage their software risks when using open-source libraries within their home-grown retail applications. If a vulnerability is discovered in a retailer’s use of open source software, they must work quickly to patch that vulnerability or find a more secure option. 

Additionally, retailers should not only assume the responsibility of their own security, but also that of their customers. With open source libraries and components likely in use within many, if not all, e-commerce applications, software composition analysis is critical to managing open source vulnerability risks, license risks and outdated libraries no longer being maintained by the developer community. Retailers must address open source risks early on in the software development phase -- eliminating the potential risk of having to pay massive fines and penalties as a result of a breach caused by a vulnerable open source component in the future.

 

Don’t overlook API risks

Today, nearly all applications and pieces of software are powered by application programming interfaces (APIs). Backend APIs enable technology providers, manufacturers, suppliers, retailers and shippers to communicate and share data with one another, while consumers unknowingly are using APIs themselves when making purchases from mobile apps. In a sense, APIs are the backbone of e-commerce innovation.

For organizations who depend on APIs for retail operations, a helpful resource to refer to is the OWASP API Security Top 10 list of risks. Make it a priority to understand these top risks and associated vulnerabilities, plus analyze current prevention methods against them. Typically, mobile apps using APIs often allow access to an abundance of data that can include personally identifiable information (PII) of customers, since APIs often rely on endpoint filtering from mobile apps themselves. Because of this, APIs and mobile apps have become one of the biggest targets for attackers. Retailers must regularly evaluate their own API security approaches, and highly scrutinize their API integrations to ensure that third-party providers are employing the same security standards.

 

Raise security awareness

Security is a team sport - gone are the days of having the responsibility fall solely on IT departments, software developers or AppSec teams. Security must become everyone’s responsibility in order for it to be effective. This means retailers must instill AppSec awareness and training throughout their entire organization, from the leadership team to seasonal hires and even third-party contractors. Secure software development must be understood by the entire organization - not just developers - to truly protect the brand and its customers.

For developers specifically, secure coding education is needed more than ever before. Some of the most common software vulnerabilities in e-commerce applications today are often the cause of repetitive coding errors that lead to major vulnerabilities. It’s imperative to have real-time, train-while-you-code, training modules embedded into the tools developers use daily to minimize some of these mundane coding mistakes.

As retailers know all too well by the seemingly daily data breach stories, one small security misstep can have major repercussions -- impacting revenues, eroding customer trust and tarnishing long-term brand reputation. As consumers fill their virtual carts this year with holiday gifts, it’s retailers’ responsibility to ensure strong software security protocols are being adhered to not just in December, but year-round. With a few best practices including regular, consistent application security testing, a firm understanding of the risks of open source and API-powered technologies, as well as instilling a security-first culture throughout the organization (one where developers are empowered through real-time, interactive training), retailers can put their best foot forward this holiday season -- and consumers can breathe a sigh of relief knowing they’re part of a safer shopping experience.

KEYWORDS: cyber security ecommerce retail security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Stephengates professional

Stephen Gates is an Application Security Evangelist at Checkmarx, a software security company. Stephen brings more than 15 years of information security experience to his role at Checkmarx. He is an SME with an extensive hands-on background in the deployment and implementation of on-premises and cloud-based security solutions, and is a well-known writer, blogger, presenter, and published author who is dedicated to conveying facts, figures, and information that brings awareness to the cybersecurity issues all organizations face.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • delivery

    Top physical security threats affecting e-commerce this holiday season

    See More
  • Security newswire default

    2015 Holiday Season E-Commerce Fraud Rates Rise

    See More
  • online shopping

    14% rise in suspected 2020 holiday weekend e-commerce fraud

    See More

Related Products

See More Products
  • into to sec.jpg

    Introduction to Security, 10th Edition

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing