As middle market retailers move toward a robust channel mix, the technology needed to enable mobile apps, web apps and web services have become indispensable. These apps facilitate the link between online, mobile and physical environments to create a seamless omnichannel retail experience. However, in all the excitement over these new capabilities, retailers must take the time for testing and risk assessment to make sure these apps are secure.
We see many clients completely revamping e-commerce and rewards sites to make them function within their new retail strategy. These sites collect more data, have more functionality and interact with several external third parties. E-commerce sites handle payment information, while rewards and loyalty apps collect very sensitive data sets, like addresses, birthdays, family member names and email addresses. There is simply more data to steal. If processes have not been tested from a security standpoint, there could be new exposure areas unprotected and at risk.
Testing: No time like the present
As retailers integrate new or revamped technology into their businesses, this is the perfect time for security testing, in particular, application security testing. We’ve seen a substantial increase in the number of clients seeking application security testing, which is a sign that the industry has taken notice of the importance of this step in the development process. Third-party security testing provides an objective, in-depth evaluation of security ﬂaws and whether these ﬂaws could be used to compromise the application or sensitive data.
The following are testing options to consider:
- Application vulnerability scan: These largely automated scans provide an overview of the security of the application. This is useful in identifying multiple instances of security ﬂaws and uncovering systemic issues.
- Application penetration test: Through a combination of scans, tools, manual review and user credentials, these tests identify security vulnerabilities, including business logic ﬂaws. By assuming the role of an attacker, this test provides a picture of how a malicious actor could attempt to compromise the application.
- Static analysis: This assessment analyzes an application’s source code using static binary analysis technology to identify speciﬁc bugs, which create security ﬂaws in the application.
- Web services: As web services become more prevalent, they become bigger targets. This assessment determines whether web services can be abused by attackers. It captures communication between the web service and applications. By analyzing all service-related traffic, this test can evaluate potential attack vectors.
These assessments focus on the most common application security ﬂaws as identiﬁed by the Open Web Application Security Project, which is comprised of a community of experts who provide the industry standard for application security. Additionally, these tests can be performed at any stage of the development process.
Common security flaws
Based on RSM’s application security assessments, developers need to be cognizant of certain security ﬂaws we are beginning to see more and more. With respect to mobile applications, developers frequently use application programming interface keys for authentication and authorization rather than authenticating and authorizing users based on their individual credentials. However, since the application is published through the app store, this information becomes public and may not be enough to restrict access. Authorization and authentication also tend to be overlooked in web services because developers mistakenly assume that the only way to interact with the application is through the published web application. However, the web services that back the applications are becoming increasingly vital components and present another valid attack surface. That’s why just as much attention should be paid to web services as the applications themselves.
As retailers are developing and testing their applications, they should be sure to address these issues and test the application throughout the development life cycle.