New web application security study found US retailers had a larger attack surface, while EU retailers run more outdated services…

Subscribe

Outpost24, an innovator in identifying and managing cybersecurity exposure, today announced the results of the 2020 Web Application Security for Retail & E-commerce Report, which analysed the web applications of the top 20 retailers in the US and EU. Research shows exploits targeted at web applications remain one of ecommerce’s most significant threats. Using an average risk exposure score based on Outpost24’s multi-layered attack surface discovery tool, Scout, the findings revealed that web applications used by US retailers were more at risk with an aggregated average risk score of 35 against a maximum score of 42.33, which was higher than their EU counterparts at 31.

On average, the report found US retailers to be running more publicly exposed web applications (3,357) compared to EU retailers, which ran fewer applications (2,799). Yet, despite having a smaller attack surface, EU retailers had a higher percentage of applications using old components that contained vulnerabilities (27%) as opposed to their American rivals (22%). Nonetheless, all retailers had security risks within their web environments that could expose them and their customer data they hold to potential exploitation and compromise.

The list of retailers were chosen based on Deloitte’s Global Powers of Retailing Report 2019 and had their public-facing web security environments analysed against the seven most common attack vectors used by hackers during reconnaissance, to ascertain the risk score, including Security Mechanisms, Page Creations Methods, Degree of Distribution, Authentication, Input Vectors, Active Contents and Cookies (score 1-100 each).

Security Mechanisms was the single biggest attack vector for both EU and US retailers, attaining a risk exposure score of 90.5 and 99 respectively. For retailers using HTTP websites, and not restricting access to adversaries trying to get into unsecured parts of a site without encryption, this will contribute to a higher attack surface score. Active Content, which observed how web applications were running scripts, was the second most dangerous as both US and EU retailers acquired scores of 88 or more. Third highest was Degree of Distribution with all retailers attaining scores higher than 77.9, which is attributed to the high number of product pages commonly found on large ecommerce sites making it difficult to secure everything.

Nicolas Renard, Security Analyst at Outpost24 comments “hackers are masters of reconnaissance and will go to great lengths to identify weak spots in their target. The rather high risk exposure score among the top retailers is a worrying trend, as bigger attack surfaces create more opportunity for bad actors to find holes in their security defense and execute potential exploits.”

Outpost24’s Scout tool also examined the components that were used to develop the web applications and discovered that 90% of EU retailers and 50% of US retailers are currently running outdated jQuery versions on their applications which could expose them to common cross site scripting attacks. Furthermore, the top retailers are found to be using a variety of outdated servers to run their applications, making their shared hosting environments vulnerable to unauthorized access through potential exploitation of known vulnerabilities.

Stephane Konarkowski,  Security Analyst at Outpost24 said “how the web application is built and developed is a key risk indicator if you know where to look. Our research shows the complexity of modern-day applications and the need for retail organizations to understand their attack surface and risk levels. To avoid data breach and the loss of customer trust and revenue, retailers must address security hygiene as an essential step to protect their web applications and ensure the attack surface is kept at a minimum through continuous assessment.”

2020 Web Application Security for Retail & Ecommerce Report

New study found US retailers had a larger attack surface, while EU retailers run more outdated services

Subscribe

Related Stories

Issue 34 of Interface magazine is live!

Our cover story this month investigates how Fleur Twohig, Executive Vice President, leading Personalisation & Experimentation across Consumer Data & Engagement Platforms, and her team are executing Wells Fargo’s strategy to promote personalised customer engagement across all consumer banking channels

Issue 35 of Interface magazine is live!

Our cover story this month reveals how Dr Roman Salasznyk, Senior Vice President at Booz Allen Hamilton, and his team are driving innovation at the IT services specialist to deliver digital solutions supporting federal agencies in their quest to drive mission-critical programs

Issue 34 of CPOstrategy is LIVE!

CPOstrategy’s cover star this month is procurement transformation expert, and CEO and Co-Founder of Tropic, David Campbell…

Welcome to the first ever edition of SupplyChain Strategy!

Our aim is to bring you the latest actionable insights into every issue relating to supply chain management from the world’s leading exponents. Each issue will lift the lid on the supply chain transformations taking place, right now, at enterprises across every sector and territory.

How to accelerate supply chain digital transformation

The right time to digitalise the supply chain and reap the multiple benefits is now.

Issue 33 of Interface magazine is live!

Our cover story this month reveals how Sarita Singh, Regional Head & Managing Director for Stripe in Southeast Asia, and her team are driving financial inclusion across the region and supporting SMEs with end-to-end services putting users first

Supply chain data: Mind the gap 

The list of drivers to better understand global supply chains grows every day.

Top 5 essential procurement/supply chain management books 

We list five vital books in procurement and supply chain strategy that are reshaping the way we work.

Building resilience into the weakest supply chain link

Disruption and uncertainty mean a myriad challenges face organisations ad the weakest link in the supply chain can appear quickly and unexpectedly.

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.