Retail & Web Application Security: What Application-Layer Security Threats Are in Store for Retailers
The retail industry is undergoing a transformative period as the “empowered” consumer, driven by technological advances and breakthroughs, impacts how retailers market, communicate and sell. Retailers continue to erode the barrier to purchase via a myriad of new technologies, such as mobile apps, social media transactions and AI that converse with consumers. They leverage AI to analyze buyer behavior and optimize buyer preferences. Even “traditional” retailers have invested in technologies that track both offline and in-store behaviors to further reduce the barrier to sale regardless of location.
To achieve such pervasive consumer contact, retail technologies depend upon bot automation. Bots have radically altered how consumers connect with retailers and consumer product companies. In retail, bots are everywhere, from electronic couponing to price aggregators, and from programmatic ad buying to app-to-app communications (chatbots).
To understand what C-level security executives think about overcoming both these technological challenges while managing processes and people, Radware surveyed over 600 chief information security officers (CISOs) and other security leaders across six continents. This article provides an overview of key findings from Radware’s web application security report: Web Application Security in a Digitally Connected World.
With the rise of bots comes the security risks of discerning bad versus good bots. Our survey shows that 70% of generated network traffic is bots, but less than 20% of respondents can discern with certainty between good and bad bots (see Figure 1). Bad bots can wreak significant financial havoc on a retailer, stealing intellectual property via Web scraping, undercutting or stealing pricing and disrupting inventory management. For example, “sneakerbots1” have transcended the sneaker market and are now buying out all manner of highly anticipated products before they are available online.
Because consumers expect the highest level of security from their sites and places they shop, ensuring that the retailer will protect their personal and financial data, retailers must adopt to the accelerated rate of technology change and growing security risks to realize high levels of customer loyalty, brand reputation and customer satisfaction. Let us review some of the security issues facing retailers today and see why these respondents currently lack confidence that they can offer the level of security their customers demand and expect.
BOTS AND EMERGING TECHNOLOGIES
As mentioned previously, bots are a key technology issue of which respondents take serious notice. For those respondents who could distinguish between good and bad bots, bad bots often attack retailers in the form of Web scraping attacks. In fact, 75% of retailers said that Web scraping is a very significant risk to their intellectual property. Radware research indicates that 72% of retailers reported experiencing negative consequences to Web scraping attacks, including gathering of pricing information (56%), held inventory (45%), website copying (39%), and inventory depletion (32%) (see Figure 2).
In addition, the increasing risk of encrypted Web attacks, such as Layer 7 DDoS as well as other attack vectors such as Brute Force and data security breaches, are of major concerns to retailers, who may not have the solutions to mitigate the risk. While retail applications and Web servers have experienced Brute Force (36%) and Layer 7 DDoS (25%) attacks over the past 12 months, only 16% of respondents are confident they could quickly detect one of these attacks and only 21% feel very confident they could quickly mitigate it.
CONFIDENCE AND MITIGATING RISK
Insights from the survey regarding retail confidence in mitigating risk demonstrate that retailers are not completely comfortable they have the tools, solutions and proper investments to address the issues. Just 32% have confidence they could secure sensitive data (e.g., credit card) while over 60% cannot track data shared with third parties once the data leaves the corporate network (see Figure 3).
There is also growing concern that this lack of confidence may be founded in the fact that only one in five respondents are fully aware of changes made to in-house applications and APIs within their software development environment. Even though 33% are required to comply with PCI standards, nearly 60% don’t inspect the data that is being transferred/returned via APIs and less than 40% analyze API vulnerabilities prior to integration.
As compared to other industries such as healthcare and financial services, surveyed retailers did not respond to industry-wide security breaches with significant investment in security controls, with only 33% significantly increasing their investments. This is alarming since over 60% of respondents collect customer data for profiling and personalized marketing; this lack of investment may make retailers more vulnerable to threats and attacks.
The following statistical analysis from retail respondents demonstrates why many of these enterprises may fall victim to potential application-layer attacks, lacking a comprehensive security framework to identify or mitigate against those attacks. Only 25% of retailers state that they fully integrate security into the delivery of Web applications while only one in three could quickly detect a wide range of threats and attacks. This may be why various retailers around the world have experienced frequent attacks on their applications, making them all too vulnerable to a broad range of threats as well as placing them at a competitive disadvantage (where shoppers will quickly abandon their cart or basket, negatively impacting sales and customer loyalty initiatives).