Cyber Security Essentials for Websites and Applications
Safeguarding E-Commerce Success
With e-commerce thriving as a cornerstone of retail, securing websites and applications has never been more critical. Cyber criminals target vulnerabilities in commercial platforms and websites to exploit sensitive customer data and disrupt operations.
This month, we explore the cyber threats and implications facing online retail and e-commerce, as well as delving into some best practices and frameworks like OWASP, and secure development methodologies, to help organisations stay secure online.
Why Application Security Matters for E-Commerce
Threat Landscape
Cyber crime targeting e-commerce platforms remains a top concern, according to the NCSC, 50% of UK businesses experienced a cyber attack in 2023 alone. 18% of breaches that were reported in 2023 to the Information Commissioner’s Office (ICO) were in the retail sector.
Rising Threats
Cyber crime targeting online businesses in the UK is being driven by increasingly sophisticated attacks, with the number of affected businesses only set to increase year on year. Common threats include SQL injection, cross-site scripting (XSS), and API breaches.
Impact
A single breach can result in financial loss, reputational damage, and even regulatory penalties. For example, Magecart’s attacks on British Airways showcased the devastating impact of compromised third-party integrations, resulting in the flag carrier airline having to pay a £20m data protection fine. [source: The Register]
Trust and Loyalty
Ensuring robust security builds customer trust, enhances brand reputation, and protects critical data like payment information and personal details.
The Rise of API Breaches and the Importance of Secure Third-Party Integrations
APIs (Application Programming Interfaces) are the backbone of modern web applications, enabling integration between systems, other applications, and services. According to Business Wire, a survey in 2022 found that 97% of enterprise business leaders agree that successfully executing an API strategy is essential to secure organisations’ future revenue and growth.
However, their rapid adoption has also made them a prime target for attackers. In 2021, Gartner predicted that APIs would become the top attack vector used to target applications.
Fast forward to 2024 and there have already been some notable breaches:
Peloton API Breach (2021)
Hackers exploited a vulnerability in Peloton’s API that enabled users to make an unauthenticated request for account data to the API without the API first verifying if that user has authorisation to access said data.
The API enables the end users’ bikes to capture and upload data back to Peloton’s servers. Sensitive user data for around 3 million individuals was exposed due to insecure API configurations.
This included personal details such as names, emails, and workout statistics. Peloton’s inadequate authentication and authorisation measures highlighted the critical need for robust API security protocols. [source: Threatpost]
Facebook Data Breach (2021)
An API misconfiguration in Facebook’s (Meta’s) contact importer feature was exploited by malicious actors, exposing the personal data of approximately 533 million users from 106 countries.
Personal data such as phone numbers, full names, and locations were leaked, with the issue originally stemming from scraping public profiles before the vulnerability was patched in 2019. [source: Twingate]
Best Practices for Web Application Security
Penetration Testing
Penetration testing is a cornerstone of application security, especially for retail and e-commerce businesses handling vast amounts sensitive customer data and requiring 24/7 availability online.
While large enterprises like Amazon may have the capacity to conduct internal pen testing, most organisations in this space face cost and resource constraints that make outsourcing these services more practical and effective. Partnering with external cyber security experts provides access to specialised skills, tools, and up-to-date threat intelligence that many internal teams simply can’t maintain.
Moreover, hiring third-party testers eliminates the bias that might come with in-house testing and ensures that vulnerabilities are approached with a fresh perspective. The cost of penetration testing is often outweighed by the potential financial and reputational damage of a breach, particularly in high-stakes industries like retail.
Independent testing not only provides peace of mind but also aligns with compliance requirements and industry best practices, ensuring businesses are well-protected against the ever-evolving threat landscape.
Code Reviews
Code reviews are an essential part of any secure development process, ensuring that security vulnerabilities are caught early in the development lifecycle. This practice involves systematically examining source code to identify flaws, errors, or opportunities for improvement, with a strong focus on maintaining high security standards.
For retail and e-commerce businesses, where customer trust is paramount, code reviews play a vital role in protecting sensitive user data and ensuring seamless functionality. Conducting thorough code reviews:
- Identifies Common Vulnerabilities: Helps uncover issues such as injection flaws, insecure data handling, and authentication weaknesses, which align with risks highlighted in the OWASP Top 10.
- Enhances Collaboration: Encourages teamwork among developers, fostering a culture of accountability and shared responsibility for secure coding practices.
- Reduces Costs: Fixing security vulnerabilities during development is significantly less expensive than addressing them after deployment or following a breach.
Given the fast pace of the e-commerce sector, it may be tempting to bypass code reviews to save time. However, the long-term risks far outweigh the short-term gains. Engaging third-party experts or employing tools like static application security testing (SAST) solutions can streamline this process, providing an additional layer of confidence before your code goes live.
Ultimately, code reviews are more than just a quality check—they are a proactive defence against cyber threats, reinforcing the integrity of your applications from the very foundation.
Open Web Application Security Project
Top 10 Vulnerabilities
OWASP (Open Web Application Security Project) offers a globally recognised framework for understanding the most common and prevalent risks facing open web and mobile applications.
Here’s a snapshot of the OWASP Top 10 vulnerabilities every e-commerce platform must address:
1. Broken Access Control: Unrestricted access to sensitive functionalities or files.
2. Cryptographic Failures: Insufficient cryptographic mechanisms leading to compromise of sensitive data.
3. Injection: Exploiting input fields to manipulate databases or applications (e.g., SQL Injection).
4. Insecure Design: A broad category representing different weaknesses, expressed as “missing or ineffective control design”.
5. Security Misconfiguration: Default settings or unpatched software creating vulnerabilities.
6. Vulnerable and Outdated Components: Relying on outdated libraries and frameworks, or application technologies with known vulnerabilities.
7. Identification and Authentication Failures: Weak authentication and authorisation processes enabling unauthorised access.
8. Software and Data Integrity Failures: Code and infrastructure that does not sufficiently protect against integrity violations
9. Security Logging and Monitoring Failures: Insufficient logging, detection, monitoring, and active response, enabling unnoticed breaches. The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.
10. Server-Side Request Forgery (SSRF): SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). This is increasingly common in modern web applications.
Secure Development Life Cycle (SDLC)
SDLC emphasises embedding security into every stage of the development process, from ideation to deployment. Key steps include:
- Planning: Identify security requirements early.
- Design: Threat modelling to anticipate potential attack vectors.
- Implementation: Use secure coding practices and tools to detect vulnerabilities in real time.
- Testing: Conduct automated and manual tests, including code reviews and penetration testing.
- Deployment: Monitor applications continuously and ensure robust change management.
- Maintenance: Regularly update, patch, and audit systems post-launch.
More information about SDLC practices can be found here.
Tools and Resources for Strengthening Security
- CyberLab Control: Streamline vulnerability management and automate security updates.
- CyberLab Penetration Testing Services: Get peace of mind that your applications and customer data are secure with CREST accredited penetration testing and code reviews.
- OWASP ZAP: Open-source tool for identifying web application vulnerabilities.
- Gartner’s Market Guide for API Protection: This guide can help you understand which specialised products can assist in securing your organisation’s APIs.
- NCSC’s Small Business Guide: Practical steps for protecting your digital storefront.
Application Security is Essential
Application security is not a luxury but a necessity, particularly for retail and e-commerce businesses. However, by leveraging frameworks like OWASP and embedding security into every stage of the Secure Development Lifecycle, online businesses can proactively identify and address vulnerabilities before they become costly breaches.
From securing APIs to conducting regular penetration tests with trusted third-party experts, these measures not only reduce risk but also bolster consumer confidence, a critical asset in an increasingly competitive online market. Prioritising robust cyber security practices ensures your e-commerce platform remains resilient against pervasive online threats, safeguarding your operations, brand, and the trust of your customers.
As you build or launch new applications, it’s important to remember that cyber security isn’t a one-time task but an ongoing commitment. By implementing and maintaining some of the best practices we have covered, you can create a safer digital experience for your users while protecting your business’s reputation and revenue.
Detect. Protect. Support.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.