Three best practices to secure your website for the coming retail boom
The holidays are upon us, which means retailers are racing to launch new promotions, sales and other temporary web pages in time for what is anticipated to be a record-breaking retail season. Amidst their haste to prepare, some businesses forget—or don’t realize—that there are often a number of critical vulnerabilities in their web applications and servers that go completely unnoticed or unaddressed. In fact, recent research has shown that retail has one of the worst records when it comes to applications failing security checks. This is because web applications are often created quickly, without security in mind. Or even worse, they are created, launched and then forgotten. And if there is one thing we know about applications—they age like milk, not wine.
Our research shows that the average web application contains 11 vulnerabilities, with an average of seven critical vulnerabilities. And every one of those vulnerabilities is a chance for a criminal to breach your company. The last thing a retailer needs right before the holidays is to become yet another victim of cyberattack and negative headline.
Security for Web Applications
To sail smoothly through the holidays, here are three basic hygiene principles that can be used to ensure your business’ web apps are thoroughly safeguarded:
Test Early, Scan Often
The importance of scanning website applications regularly is critical to ensuring web applications aren’t launched with known vulnerabilities. According to CA Veracode’s State of Software Security Report, 60 percent of web applications are scanned less than four times a year, 36 percent of organizations don’t run any kind of static analysis security testing (SAST) and 48 percent of organizations aren’t running any kind of dynamic analysis security testing (DAST). Part of the problem is that so many web servers have vulnerabilities that have not been patched, with 25 percent of those scanned possessing a high or very high severity vulnerability—meaning they could be easily exploited by attackers to compromise websites and potentially steal or compromise consumer data.
Best practice for IT departments is to make sure their web servers are not sending out information that could be valuable to an attacker, such as server version information, for example.
Discovery scans of websites show that organizations have 30 percent to 40 percent more websites than they thought they had. This could include marketing pop-up sites that are left online and forgotten about. These sites often are left online with a redirect instead of being taken down—this is a “messy” practice that can create entry portals for hackers later on.
Shockingly, applications are only scanned twice a year on average. But scanning more frequently during development allows developers to fix on average 48 percent more vulnerabilities versus conducting scans that only give applications an up-or-down on security policy.
Prioritize Remediation Based on Risk
Testing and scanning for vulnerabilities is only half the battle—businesses need to fix the flaws they find. Out of 400,000 application scans that took place over the course of a year, only 18 percent of flaws were closed in less than 30 days, while 49 percent of flaws fixed took more than 90 days to close. Because critical vulnerabilities put your organization at the most risk, companies should fix the most severe vulnerabilities first. Many organizations are wisely doing this already—data shows organizations fix high severity vulnerabilities at twice the overall fix rate.
To prioritize risk, organizations must account for the severity of the flaw in addition to the business value of the application at risk. In addition, not all high-severity flaws are weighted equally—some organizations may choose to prioritize more high- and medium-level vulnerabilities that have more value, or are in more sensitive applications, over very high severity vulnerabilities in less sensitive applications.
Empower Developers with Resources to Make Security Part of Their Process
It’s important that cybersecurity professionals nurture their relationships with the people who are closest to the development process. But this is often deprioritized. According to findings from a survey conducted by CA Veracode and ESG, only 18 percent of development team leaders said security was the most important metric for measuring their team’s performance. And security education and ongoing training is equally neglected, with 68 percent of surveyed developers and IT pros saying their organizations aren’t supplying them with adequate training. This endemic goes all the way back to college—76 percent of respondents reported that they weren’t required to complete any security courses while in school.
However, developers do care about security, and these stats should serve as a reminder to maintain vigilance in helping developers get the tools and reinforcement they need to fix vulnerabilities efficiently. In fact, there is a 19 percent improvement in vulnerability fix rates when employers provide developers with on-demand training courses.
As more cybersecurity threats continue to emerge, having a “clean” app landscape has unmatched long-term benefits and can help ensure customers continue to have trust in your brands.
About the Author / Joe Pelletier
Joe Pelletier is the Director of Product Management for Veracode’s Web Application Security and Runtime Protection product lines. He has worked in application security for over six years, originally helping large enterprise clients implement secure development practices and programs. Joe is a hands-on learner and passionate about building great products and teams. Prior to Veracode, Joe worked in the financial services industry and helped develop portfolio management and investment research platforms. He received his degree in Finance from Bryant University. Follow Joe on Twitter.