Online shopping has set records in 2020 as the ongoing pandemic has rapidly accelerated growth and adoption of eCommerce. This will make the coming holiday season not only the busiest but also the riskiest ever. That’s because a larger percentage of total annual sales than ever before is likely to depend on your web and mobile applications. Your APIs for pricing and inventory will likely entertain more requests than you have ever seen. With this much at stake, making sure you implement rock-solid security is paramount. Here are five suggestions on how to prevent bad actors from grinching your holiday shopping revenues.
Update your WAF with the latest policies
Your Web Application Firewall (WAF) is table stakes for effective security. It blocks inbound requests from known bad hosts and IP subnets. WAFs are your first line of defense against OWASP attacks like cross-site-scripting and SQL injection. Your WAF is also only as secure as its policies. Hackers know this and often introduce new IPs and other obfuscation tactics in the run-up to the holiday season. This is why it’s imperative to frequently update WAF policies across your entire public-facing attack surface, including your origin servers and CDN.
Implement a strong Content Security Policy
Lock down your APIs
Attacks on APIs are on the rise as attackers have realized it is both easier and more lucrative to target these access points rather than hammer log-in pages on web applications. Generally, API attacks rely on bot networks to run massive account takeover (ATO) and carding attacks. API attacks can also be used to scrape content, including images, product descriptions, prices, and inventory. Our research found that more than 75% of login requests to API endpoints on many websites are malicious. As much as 20% of all product page API requests can be malicious. API security is often an afterthought. Many security tools also struggle to defend APIs because bot attacks on APIs are harder to identify due to the limited digital footprint of API requests as compared to an interactive login page. For the 2020 holiday shopping season, ignoring APIs is no longer an option.
Adopt advanced behavioral analysis tools with machine learning
The attackers continue to improve their tactics, techniques, and procedures. More and more bots are using advanced capabilities to avoid detection; increasingly we see botnets that are hijacking actual browsers from real users to launch attacks. Low-and-slow attacks that use massively distributed botnets avoid volumetric detection by flying under the radar. Fortunately, modern machine learning can combine behavioral analysis with network and client data to spot attack patterns quickly. When advanced behavioral analysis and detection is linked across hundreds or thousands of eCommerce sites, then the shared intelligence allows operators to block even attacks that they have never profiled before. These machine learning tools can learn quickly, scale rapidly, and function as an effective first line of defense to block bad requests before they even reach your applications.
Shoring up your application security to prepare for this huge holiday season will not only protect your coffers from thieves but also help your business in many other ways. Support teams won’t have to spend time helping frustrated customers whose accounts have been hacked. Revenue teams can spend their energies experimenting on improving conversion without worrying about introducing inadvertent security risks. And development teams can rest assured that their hard work sprucing up your website will keep delighting customers and boost your business through the shopping season and into the next year.
RH-ISAC members are encouraged to take advantage of this free Website Risk Assessment tool from PerimeterX