With the holiday online shopping blitz just days away, a study examining how online merchants handle customer personal and financial data suggests shoppers need to add a dollop of caution to their shopping list.
An examination of web application security practices by online retailers revealed a mix of privacy red flags for Black Friday and Cyber Monday online shoppers.
An application security study released this week found that the personally identifiable information (PII) is often needlessly stored inside ecommerce applications used to process customer payments. Other privacy and security concerns were identified, such as misconfigured or unpatched ecommerce-related applications, according to the study by CyCognito.
While those issues should be a concern year round, an uptick in holiday shopping amplifies security concerns, researchers assert. The National Retail Foundation and Adobe Analytics found that just on Cyber Monday alone, more than 77 million people spent upwards of $11 billion on Cyber Monday in 2022.
Here are some findings from the study:
- Too many sites lack best practices: 2% of ecommerce web apps still lack HTTPS. With more than 26 million ecommerce stores worldwide, this figure could impact 520,000 sites. And, 78% of all ecommerce web apps fail to ask users to consent to cookies, creating a potential compliance headache for the organization.
- Web application firewalls (WAFs) are missing-in-action: Over a quarter (28%) of ecommerce web apps lack a WAF. And one in four (24%) ecommerce web apps that collect PII are missing a WAF.
- Critical security issues abound: 2% of ecommerce web apps have at least one critical security issue. Half of those web apps contain PII. Over three-quarters (76%) of the critical issues found in ecommerce web apps are also easily exploitable. And 76% of critical issues affecting ecommerce web apps are also easily exploitable
- OWASP issues: 7% of all ecommerce web apps under monitoring have at least one issue from the OWASP Top Ten list.
“The research clearly underscored how traditional cybersecurity approaches—and their respective technologies—continue to leave bigger and bigger gaps in a company's attack surface,” said Rob Gurzeev, chief executive officer at CyCognito. “It also shows that organizations are not testing enough. In fact, even organizations that invest hundreds of millions a year in security solutions and their application testing coverage is less than 5%.”
The lack of HTTPS adoption in 2% of apps is particularly alarming as it’s such a fundamental security best practice for protecting data in transit, said Georgia Weidman, security architect at Zimperium. Weidman said if a developer cannot be bothered with these kinds of foundational security measures, it’s hard to believe that they have made any real investments in the security and privacy of their users.
Weidman also found that the discovery of other critical security issues in 2% of apps, with a significant portion easily exploitable, was cause for concern.
“Testing against known exploits is industry standard practice and, again, failing to have done so, implies a lack of diligence on the part of the developer/vendor,” said Weidman. “Finally, 7% having at least one issue from the OWASP Top Ten list further indicates a lack of adherence to well-known security best practices.”
Nick Rago, Field CTO at Salt Security, added that the CyCognito findings show just how immature most organizations still are when it comes to posture governance. Rago said much of the world has rushed to embrace the benefits of modernization and microservices, but have not embedded proper security posture controls in their life cycles, or have not even documented corporate security posture standards.
“The harsh reality is that for many organizations, application security posture takes a back seat to the need to develop and deploy in time for the holiday shopping season,” said Rago. “A good, well thought out posture governance program assures that all stakeholders, from developers, to architects, to DevSecOps, are aware and in sync with regulatory compliance, best practices, and corporate standards as business critical applications make their way through their lifecycle.”
Cybercriminals may take advantage of the urgency around Cyber Monday, but the vulnerabilities across ecommerce sites leave consumers and businesses at risk year-round, pointed out Emily Phelps, Director at Cyware. Phelps said although many financially-motivated adversaries seek the path-of-least- resistance, focusing on organizations that have security gaps, with the surge in AI tool accessibility, all organizations must become hyper-vigilant to safeguard their business and their customers.
“Continuous monitoring and detection capabilities are table stakes,” Phelps said. “Threat intelligence should also be prioritized to ensure ecommerce organizations are aware of the latest threats and can proactively take action to safeguard against them.”
