Omnichannel challenge: Are your applications secure?
INSIGHT ARTICLE |
As middle market retailers move more toward omnichannel technology, mobile apps, web apps and web services have become indispensable. These apps facilitate the link between online, mobile and physical environments to create a seamless retail experience. But in all the excitement over these new capabilities, retailers must take the time for testing and risk assessment to make sure these apps are secure, protecting enterprise and consumer data across platforms.
At RSM, we have seen heightened interest in application development, with several of our clients completely revamping ecommerce and rewards sites to make them function within their omnichannel strategy. To make omnichannel work, these sites collect more data, have more functionality and interact with more external third parties. E-commerce sites handle payment information, while rewards and loyalty apps collect very sensitive data sets, like addresses, birthdays, family member names and email addresses. With omnichannel, there is more data to steal. If processes have not been tested from a security standpoint, there could be new exposure areas unprotected and at risk.
Testing: No time like the present
As retailers integrate new or revamped technology into their businesses, this is the perfect time for security testing, in particular, application security testing. Lately, we’ve seen a substantial increase in the number of clients seeking application security testing, which is a sign that the industry has taken notice of the importance of this step in the development process. Third-party security testing provides an objective, in-depth evaluation of security ﬂaws and whether these ﬂaws could be used to compromise the application or sensitive data. The following are testing options to consider:
- Application vulnerability scan: These largely automated scans provide an overview of the security of the application. This is useful in identifying multiple instances of security ﬂaws and uncovering systemic issues.
- Application penetration test: Through a combination of scans, tools, manual review and user credentials, this test identiﬁes security vulnerabilities, including business logic ﬂaws. By assuming the role of an attacker, this test provides a picture of how a malicious actor could attempt to compromise the application.
- Static analysis: This assessment analyzes an application’s source code using static binary analysis technology to identify speciﬁc bugs which create security ﬂaws in the application.
- Web services: As web services become more prevalent, they become bigger targets. This assessment determines whether web services can be abused by attackers. It captures communication between the web service and applications. By analyzing all service-related traffic, this test can evaluate potential attack vectors.
These assessments focus on the most common application security ﬂaws as identiﬁed by the Open Web Application Security Project, which is comprised of a community of experts who provide the industry standard for application security. Additionally, these tests can be performed at any stage of the development process.
Common security flaws
Based on RSM’s application security assessments, developers need to be cognizant of certain security ﬂaws we are beginning to see more and more. With respect to mobile applications, developers frequently use application programming interface keys for authentication and authorization rather than authenticating and authorizing users based on their individual credentials. However, since the application is published through the app store, this information becomes public and may not be enough to restrict access. Authorization and authentication also tend to be overlooked in web services because developers mistakenly assume that the only way to interact with the application is through the published web application. However, the web services that back the applications are becoming increasingly vital components and present another valid attack surface. That’s why just as much attention should be paid to web services as the applications themselves.
As retailers are developing and testing their applications, they should be sure to address these issues and test the application throughout the development life cycle.
you may also be interested in
Learn how retailers can securely increase relationships with customers via omnichannel while also addressing growing cyber risks.
The age of big data translates to even bigger risk for businesses of all sizes, but middle market companies are particularly vulnerable.