How to Fortify Your Holiday E-commerce AppSec Readiness

eWEEK DATA POINTS: According to Verizon’s 2020 Data Breach Investigations Report, vulnerable web apps are the main cause of retail data breaches, meaning brands would be wise to prioritize the security of their e-commerce apps and software to create a safer online shopping experience for their loyal consumers.


The holiday shopping season is in full swing, which has been, and will continue to be, a much-welcome boon for many brands that have seen closed brick-and-mortar shops, lesser consumer traffic and reduced revenues for nearly three quarters due to COVID-19. 

With the pandemic still very much a looming presence, e-commerce is the true catalyst for retailer success this holiday season. In fact, Deloitte predicts online spend to rise 25% to 35% year-over-year during this year’s holiday season. However, while this surge presents a valuable and lucrative opportunity for brands, malicious actors are viewing it in a similar fashion, being highly motivated to exploit holes in e-commerce platforms for financial gain. As we know all too well, one security misstep can impact revenues, not to mention long-term brand reputation. 

According to Verizon’s 2020 Data Breach Investigations Report, vulnerable web apps are the main cause of retail data breaches, meaning brands would be wise to prioritize the security of their e-commerce apps and software to create a safer online shopping experience for their loyal consumers. So how can they go about doing so? 

In this edition of eWEEK Data Points, Stephen Gates, Application Security Evangelist at Checkmarx, outlines five strategies that brands should act on now to shore up their application and software security throughout the holidays and beyond. 

Data Point No. 1: Conduct predictive and consistent security scans 

It’s no secret that retail has been in the midst of a massive digital shift over the past few years, driven by new software, applications and technologies. This has only been heightened by COVID-19. The overnight, mandatory shift to e-commerce has been jarring for many companies. Regardless of how strong brands’ online presences were before the events of this year, they have all been forced to fine-tune how they use web-based purchasing and mobile apps to engage customers and maintain business success.

In order to capitalize on the holiday season and avoid falling victim to hackers, brands must keep security top of mind. For brands deploying new web and mobile applications for buyers, it’s imperative to perform early and regular static application security testing scans during software development. For those with e-commerce applications already in-market, regular security scans must be conducted on a predictive and consistent basis for each new application update while the software is being developed in-house, not after it has been deployed online.

Data Point No. 2: Address open source now or pay later

As brands roll out updates and enhancements to their existing e-commerce applications or deploy new ones in order to maintain a competitive advantage, it’s essential to manage their open source software risks when open-source libraries are in use within their home-grown retail applications. In the event that a vulnerability is discovered in open-source software a retailer is using, they must work quickly to patch that vulnerability or find a more-secure option.  

Companies are not only responsible for their own security, but also that of their trusting customers. Since open-source libraries and components are likely in use in many e-commerce applications, software composition analysis is imperative to managing open source vulnerability risks, license risks and outdated libraries no longer being maintained by the developer community. It's best to address open source usage during software development vs. paying fines and penalties for a breach caused by a vulnerable open source component down the line.

Data Point No. 3: Analyze API risks

Application programming interfaces (APIs) rapidly have become the technological backbone (so to speak) of nearly every application and piece of software. Backend APIs enable technology providers, manufacturers, suppliers, retailers and shippers to communicate and share data with one another, while consumers unknowingly are using APIs themselves when making purchases from mobile apps. As a result of the vast API consumption in e-commerce, the OWASP API Security Top 10 list of risks must be taken to heart for organizations who depend on APIs for their retail operations – which at this point is likely all of them.

By nature, mobile apps using APIs often allow access to an abundance of data that can include personally identifiable information (PII) of customers, since APIs often rely on endpoint filtering from mobile apps themselves. Because of this, APIs and mobile apps increasingly have become one of the biggest targets for attackers. While API usage often can fly under the radar from a software security perspective, brands must take a microscope to their own API security approaches. At the same time, they must highly scrutinize their API integrations to ensure that third-party providers are employing the same security standards.

Data Point No. 4: Ensure developer security awareness and training

Security can no longer rest on the laurels of retailers’ IT departments, much like it also can’t fall solely on software developers or AppSec teams. If security is going to be effective, security awareness and training must become everyone’s responsibility, embedded throughout the organization and championed by the executive team and/or board of directors. With consumer demand skyrocketing as they currently shop almost exclusively through e-commerce channels, secure software development must be part of the bigger equation to preserve their privacy and hard-earned trust. 

To improve software security overall, secure coding education for developers is needed more than ever before. Since many of the software vulnerabilities found in e-commerce applications (and elsewhere) tend to stem from repetitive coding errors that lead to vulnerable applications, having real-time, train-while-you-code training modules embedded into the tools developers used daily is a high priority. 

Data Point No. 5: Find More vulnerabilities during functional testing  

As brands move faster to keep pace with online consumer demand, they’re relying more on web-based applications that enable quick, efficient and secure sales of goods and services. In the past, most brick-and-mortar retailers focused on securing their in-store point of sales devices, Wi-Fi networks and internet perimeters. While this is still critical as part of the long-term security strategy, current circumstances require that equal, if not more, attention is shifted to securing online retail applications. 

Since online retailers fully understand that software must go through functional testing to ensure it works as intended for buyers, retailers can also take advantage of this testing process to add interactive application security testing designed to find vulnerabilities while applications are being tested for functionality, and when running in pre-deployment environments. This enables developers and AppSec teams to discover coding errors that could expose them to attacks not found during any other application security testing process.

While the tips outlined above are geared toward brands themselves, consumers must remember that they carry equal responsibility when it comes to preserving their privacy and security during the holidays. As they rush to take advantage of lightning and flash sales and secure the hottest gifts of the season, consumers should ensure they’re shopping from trustworthy vendors and through reliable applications, and that they  aren’t inadvertently purchasing an item with known, or potential, security flaws. 

Before clicking “buy,” they should ask themselves if this is really something they need, and if the convenience advantages for something like an IoT device outweigh the potential privacy disadvantages. 

If you have a suggestion for an eWEEK Data Points article, email [email protected].