As middle market retailers move toward a robust channel mix, the technology needed to enable mobile apps, web apps and web services have become indispensable. These apps facilitate the link between online, mobile and physical environments to create a seamless omnichannel retail experience. However, in all the excitement over these new capabilities, retailers must take the time for testing and risk assessment to make sure these apps are secure.
We see many clients completely revamping e-commerce and rewards sites to make them function within their new retail strategy. These sites collect more data, have more functionality and interact with several external third parties. E-commerce sites handle payment information, while rewards and loyalty apps collect very sensitive data sets, like addresses, birthdays, family member names and email addresses. There is simply more data to steal. If processes have not been tested from a security standpoint, there could be new exposure areas unprotected and at risk.
Testing: No time like the present
As retailers integrate new or revamped technology into their businesses, this is the perfect time for security testing, in particular, application security testing. We’ve seen a substantial increase in the number of clients seeking application security testing, which is a sign that the industry has taken notice of the importance of this step in the development process. Third-party security testing provides an objective, in-depth evaluation of security flaws and whether these flaws could be used to compromise the application or sensitive data.
The following are testing options to consider:
- Application vulnerability scan: These largely automated scans provide an overview of the security of the application. This is useful in identifying multiple instances of security flaws and uncovering systemic issues.
- Application penetration test: Through a combination of scans, tools, manual review and user credentials, these tests identify security vulnerabilities, including business logic flaws. By assuming the role of an attacker, this test provides a picture of how a malicious actor could attempt to compromise the application.
- Static analysis: This assessment analyzes an application’s source code using static binary analysis technology to identify specific bugs, which create security flaws in the application.
- Web services: As web services become more prevalent, they become bigger targets. This assessment determines whether web services can be abused by attackers. It captures communication between the web service and applications. By analyzing all service-related traffic, this test can evaluate potential attack vectors.
These assessments focus on the most common application security flaws as identified by the Open Web Application Security Project, which is comprised of a community of experts who provide the industry standard for application security. Additionally, these tests can be performed at any stage of the development process.
Common security flaws
Based on RSM’s application security assessments, developers need to be cognizant of certain security flaws we are beginning to see more and more. With respect to mobile applications, developers frequently use application programming interface keys for authentication and authorization rather than authenticating and authorizing users based on their individual credentials. However, since the application is published through the app store, this information becomes public and may not be enough to restrict access. Authorization and authentication also tend to be overlooked in web services because developers mistakenly assume that the only way to interact with the application is through the published web application. However, the web services that back the applications are becoming increasingly vital components and present another valid attack surface. That’s why just as much attention should be paid to web services as the applications themselves.
Misconfiguration of web services can be a big problem. Normally, web browsers will only allow JavaScript to initiate requests to the same domain it was initially served from. This is to prevent malicious sites from issuing requests to other sites and automatically using a valid user’s session at the target site. However, if a web app is using a web service, that web service may be hosted at a different domain or subdomain, so the app must inform browsers that JavaScript from specific domains is allowed to submit requests. Problems happen when web services are misconfigured to allow requests from any domain which then exposes the app for a possible attack.
As retailers are developing and testing their applications, they should be sure to address these issues and test the application throughout the development life cycle.
