United States

Omnichannel challenge: Are your applications secure?

INSIGHT ARTICLE  | 

As middle market retailers move more toward omnichannel technology, mobile apps, web apps and web services have become indispensable. These apps facilitate the link between online, mobile and physical environments to create a seamless retail experience. But in all the excitement over these new capabilities, retailers must take the time for testing and risk assessment to make sure these apps are secure, protecting enterprise and consumer data across platforms.

At RSM, we have seen heightened interest in application development, with several of our clients completely revamping ecommerce and rewards sites to make them function within their omnichannel strategy. To make omnichannel work, these sites collect more data, have more functionality and interact with more external third parties. E-commerce sites handle payment information, while rewards and loyalty apps collect very sensitive data sets, like addresses, birthdays, family member names and email addresses. With omnichannel, there is more data to steal. If processes have not been tested from a security standpoint, there could be new exposure areas unprotected and at risk.

Testing: No time like the present

As retailers integrate new or revamped technology into their businesses, this is the perfect time for security testing, in particular, application security testing. Lately, we’ve seen a substantial increase in the number of clients seeking application security testing, which is a sign that the industry has taken notice of the importance of this step in the development process. Third-party security testing provides an objective, in-depth evaluation of security flaws and whether these flaws could be used to compromise the application or sensitive data. The following are testing options to consider:

  • Application vulnerability scan: These largely automated scans provide an overview of the security of the application. This is useful in identifying multiple instances of security flaws and uncovering systemic issues.
  • Application penetration test: Through a combination of scans, tools, manual review and user credentials, this test identifies security vulnerabilities, including business logic flaws. By assuming the role of an attacker, this test provides a picture of how a malicious actor could attempt to compromise the application.
  • Static analysis: This assessment analyzes an application’s source code using static binary analysis technology to identify specific bugs which create security flaws in the application.
  • Web services: As web services become more prevalent, they become bigger targets. This assessment determines whether web services can be abused by attackers. It captures communication between the web service and applications. By analyzing all service-related traffic, this test can evaluate potential attack vectors.

These assessments focus on the most common application security flaws as identified by the Open Web Application Security Project, which is comprised of a community of experts who provide the industry standard for application security. Additionally, these tests can be performed at any stage of the development process.

Common security flaws

Based on RSM’s application security assessments, developers need to be cognizant of certain security flaws we are beginning to see more and more. With respect to mobile applications, developers frequently use application programming interface keys for authentication and authorization rather than authenticating and authorizing users based on their individual credentials. However, since the application is published through the app store, this information becomes public and may not be enough to restrict access. Authorization and authentication also tend to be overlooked in web services because developers mistakenly assume that the only way to interact with the application is through the published web application. However, the web services that back the applications are becoming increasingly vital components and present another valid attack surface. That’s why just as much attention should be paid to web services as the applications themselves.

Misconfiguration of web services can be a big problem. Normally, web browsers will only allow JavaScript to initiate requests to the same domain it was initially served from. This is to prevent malicious sites from issuing requests to other sites and automatically using a valid user’s session at the target site. However, if a web app is using a web service, that web service may be hosted at a different domain or subdomain, so the app must inform browsers that JavaScript from specific domains is allowed to submit requests. Problems happen when web services are misconfigured to allow requests from any domain which then exposes the app for a possible attack.

As retailers are developing and testing their applications, they should be sure to address these issues and test the application throughout the development life cycle.


you may also be interested in

6 steps to improve omnichannel cybersecurity

6 steps to improve omnichannel cybersecurity

Learn how retailers can securely increase relationships with customers via omnichannel while also addressing growing cyber risks.

RSM US Middle Market Business Index: Cybersecurity Special Report

RSM US Middle Market Business Index: Cybersecurity Special Report

The age of big data translates to even bigger risk for businesses of all sizes, but middle market companies are particularly vulnerable.

AUTHORS


Consumer Products Insights

( * = Required fields)

Related

Consumer Products Insights
News, trends and insights for the consumer products industry.

Events and Webcasts

Case Studies