Protecting Online Holiday Shopping this Season – CSO Online

Protecting Online Holiday Shopping this Season – CSO Online

With the holiday shopping season settling in, eCommerce growth has continued to skyrocket. In November, the U.S. Department of Commerce reports an almost 37% increase in quarterly retail e-commerce sales, when compared to the previous year. However, with growth come challenges, including a concurrent spike in cyberattacks on e-commerce web infrastructure as more and more consumers flock to these websites. In fact, since the beginning of September, Fortinet’s FortiGuard Labs global threat intelligence and research team showed a very steady, consistent wave of e-commerce attack type attempts. A month later, the team saw over a billion different attempts which is almost a 140% increase. Those responsible for protecting their customers data should operate with two key responsibilities in mind: delivering dynamic and engaging shopping experiences to their customers and securing the web applications that deliver that experience.

Securing Your APIs

Web applications expose APIs to the outside world to allow customers to purchase using mobile applications and to create more engaging user experiences, but also create a new attack surface.  Defend that attack surface by implementing some core best practices for your APIs.  The API should only provide access to the data required for the specific use case to prevent abuse. Rate limits should be imposed to prevent abuse of the API for bulk data harvesting.  The server should be doing the heavy lifting and only well-vetted authentication and encryption protocols should be used.   Rigorous coding standards and practices, such as avoiding the issues outlined in the OWASP API Security Top 10, should be followed.  But what if you’re not the developer, and your responsibility is securing the deployment of an application? 

While your DevOps team is likely the most well versed in the web application, relying on them may not be the best place to implement security controls for your API. Application developers are typically evaluated on feature delivery, uptime, and other metrics. Ideally, security is somewhere on their list, but in practice, consistently making security a top priority is a challenge, especially when a DevOps team may not have extensive cybersecurity skills. While some development teams do focus on application security, unique security approaches from multiple application teams can complicate the learning process and limit visibility for your security team. Without a clear view of security events across all of your web applications, you are exposing your applications — and your organization — to unnecessary and serious risk. Deploying security controls external to the application is critical to give you the clarity and control you need to secure your applications.

Protecting Organizations From Online Shopping Threats

Web Application Firewalls (WAFs) have been the most commonly deployed methods of protecting applications from common threats like SQL injection attacks and cross-site scripting. However, the attack surface for web applications evolves rapidly and WAF solutions are struggling to keep up. Organizations need to extend the WAF concept to encompass Web Application and API Protection (WAAP). Using an advanced, multi-layer approach is crucial in keeping up with cyber attackers and protecting against new and old vulnerabilities.

An API security solution needs to support the following basic API gateway capabilities:

• Protection against automated attacks, including rate limiting to prevent abuse of your API for either credential abuse or bulk data harvesting
• The ability to manage API keys that can enable access to specific APIs for your trusted business partners
• The ability to implement a positive security model, validating users input against the developer’s own definitions, in OpenAPI or other formats

A modern WAF solution that incorporates these key API security controls can make deploying and maintaining the APIs that underpin the ecommerce applications that your customers rely on.   

Fortinet’s WAF Solution: FortiWeb

If your API has already been deployed and has no security solution in place, it is not too late to implement one. A solution like FortiWeb Cloud can be easily deployed and managed within minutes. FortiWeb’s WAF solution provide advanced security features to defend your web applications and APIs from new, old, and unknown threats. Protections for each application is customized through FortiWeb machine learning (ML), removing the time-consuming process of manual policy tuning. With ML, FortiWeb identifies anomalies and examines them to distinguish between benign and malicious anomalies.  Deployment options include  hardware appliances, virtual machines, data center containers,  or cloud-native Saas solutions to protect business applications are also available.

Securing your web applications and APIs is most efficiently done through restricting API resources and implementing a multi-layer WAAP approach. Holiday shopping season is already an attractive target for cybercriminals, so a dedicated approach to web security is necessary.

Explore how FortiWeb Cloud can secure your APIs with a free trial available through AWS, Azure, and Google Marketplaces. 

Published at Fri, 18 Dec 2020 15:46:00 +0000