Online shopping has set records in 2020 as the ongoing pandemic has rapidly accelerated growth and adoption of eCommerce. This will make the coming holiday season not only the busiest but also the riskiest ever. That’s because a larger percentage of total annual sales than ever before is likely to depend on your web and mobile applications. Your APIs for pricing and inventory will likely entertain more requests than you have ever seen. With this much at stake, making sure you implement rock-solid security is paramount. Here are five suggestions on how to prevent bad actors from grinching your holiday shopping revenues.
Update your WAF with the latest policies
Your Web Application Firewall (WAF) is table stakes for effective security. It blocks inbound requests from known bad hosts and IP subnets. WAFs are your first line of defense against OWASP attacks like cross-site-scripting and SQL injection. Your WAF is also only as secure as its policies. Hackers know this and often introduce new IPs and other obfuscation tactics in the run-up to the holiday season. This is why it’s imperative to frequently update WAF policies across your entire public-facing attack surface, including your origin servers and CDN.
Implement a strong Content Security Policy
Content Security Policy (CSP) is a way to limit what JavaScript code can do on a web application or mobile application using browser components. This is a useful defense against unauthorized content and code injections on the client-side. Because CSP defines an allow list for the web page, they can ensure that code, images, and iframes can only be fetched from specified domains, or that form actions are restricted to certain parameters, to name two capabilities. CSP is widely supported by all major browsers, is difficult to evade, and does not impact performance. CSP is an excellent basic security measure to prevent bad actors from injecting malicious Shadow Code to execute digital skimming attacks.
Inventory and verify all third-party JavaScript running on your applications
A growing number of digital skimming and PII harvesting attacks are caused by compromised third-party JavaScript running on eCommerce sites. As much as 70% of client-side code on web applications is made up of JavaScript written by other parties. Third-party libraries and services simplify application development. Popular use cases delivered by third-party libraries and services include payment, forms, graphics, videos, images, maps, and chatbots. Because these services become trusted parts of a web application, they can observe all activities and even alter pages and forms. For example, chatbots essentially behave as keyloggers on a website. Attackers take advantage of this expanded attack surface and either skim information supplied by customers or alter forms to encourage users to submit unauthorized information. The most widely-known form of third-party attacks are the Magecart gangs that have struck thousands of web and mobile applications. Client-side application security solutions make it easier for security operations and developer operations teams to continuously inventory all third-party code running on their web applications, monitor for open source vulnerabilities, and mitigate attacks in real-time.
Lock down your APIs
Attacks on APIs are on the rise as attackers have realized it is both easier and more lucrative to target these access points rather than hammer log-in pages on web applications. Generally, API attacks rely on bot networks to run massive account takeover (ATO) and carding attacks. API attacks can also be used to scrape content, including images, product descriptions, prices, and inventory. Our research found that more than 75% of login requests to API endpoints on many websites are malicious. As much as 20% of all product page API requests can be malicious. API security is often an afterthought. Many security tools also struggle to defend APIs because bot attacks on APIs are harder to identify due to the limited digital footprint of API requests as compared to an interactive login page. For the 2020 holiday shopping season, ignoring APIs is no longer an option.
Adopt advanced behavioral analysis tools with machine learning
The attackers continue to improve their tactics, techniques, and procedures. More and more bots are using advanced capabilities to avoid detection; increasingly we see botnets that are hijacking actual browsers from real users to launch attacks. Low-and-slow attacks that use massively distributed botnets avoid volumetric detection by flying under the radar. Fortunately, modern machine learning can combine behavioral analysis with network and client data to spot attack patterns quickly. When advanced behavioral analysis and detection is linked across hundreds or thousands of eCommerce sites, then the shared intelligence allows operators to block even attacks that they have never profiled before. These machine learning tools can learn quickly, scale rapidly, and function as an effective first line of defense to block bad requests before they even reach your applications.
Shoring up your application security to prepare for this huge holiday season will not only protect your coffers from thieves but also help your business in many other ways. Support teams won’t have to spend time helping frustrated customers whose accounts have been hacked. Revenue teams can spend their energies experimenting on improving conversion without worrying about introducing inadvertent security risks. And development teams can rest assured that their hard work sprucing up your website will keep delighting customers and boost your business through the shopping season and into the next year.
RH-ISAC members are encouraged to take advantage of this free Website Risk Assessment tool from PerimeterX
