In today’s world, just about everything starts online. More and more customers research products, prices and stores before leaving their home, so web security is paramount for a retailer.
While companies work hard to ensure a top level of security, research shows that as many as eight in 10 websites have security vulnerabilities at any given point in time. Unfortunately, retail websites are some of the most vulnerable on the web, according to a new report by WhiteHat Security. Many are open to attack, with results ranging from loss of data and malware infection to loss of consumer confidence.
A top provider of website risk management solutions, WhiteHat Security serves many Fortune 1000 retailers using a four-phase Website Risk Management approach that includes asset identification, vulnerability management, reporting and protection.
WhiteHat recently released its 11th annual Website Security Statistics Report, reviewing vulnerabilities in more than 3,000 websites across 400 organizations. It found that the average website has serious vulnerabilities more than nine months of the year. Information leakage (when a website reveals sensitive data like the details of the web application) was found to be the most common vulnerability, followed by cross-site scripting, which allows malicious attackers to inject script into pages viewed by other users.
Jeremiah Grossman, founder and chief technology officer of WhiteHat, says that most websites will contain some faulty code; what is important is how long it takes to identify that threat and fix it.
“Websites are complex things and they tend to have a lot of bugs,” Grossman says. “Over a [one-] year period, eight out of 10 will have a serious issue.”
The report found that heavily regulated industries like banking and healthcare tended to have the lowest vulnerabilities. In contrast, 51 percent of retail websites were found to be “always vulnerable” and another 18 percent were “frequently vulnerable.” Only 11 percent of the sampled retail websites were found to be “rarely vulnerable.”
Aside from information leakage and cross-site scripting, other common vulnerabilities included content spoofing, cross-site request forgery, brute force and insufficient information.
“The majority of websites we looked at were vulnerable to something almost every day of the year,” Grossman says.
The average website had more than 230 serious vulnerabilities at any given time last year. On average, half of the organizations required 116 days or less to remediate their serious vulnerabilities.
Retail was one of the worst offending sectors, showing an average of 404 vulnerabilities with an average exposure of 328 days. When broken down by type of vulnerability, there was a 75 percent chance that a retail site would be subject to some type of cross-site scripting, a 70 percent chance of information leakage and a 53 percent chance of content spoofing.
WhiteHat chief strategy officer Bill Pennington says that security vulnerabilities can be a major challenge for retailers, who are reliant on the confidence and faith of the shoppers who buy items and transmit personal financial information on their sites.
The risks can hurt both retailers and their customers. Pennington says a classic example is when vulnerabilities allow a creative attacker to change the prices of items in customers’ shopping cart. In worst case scenarios, attackers can gain access to thousands of customers’ personal information, including credit card numbers.
“You need to spot the ways that they can break into your site and steal financial data or transaction data, or get something for free,” he says.
Identifying and remediating threats
If every site has vulnerabilities and no site can be 100 percent safe, finding those vulnerabilities and fixing them quickly is the next best solution. Pennington says that identifying the threats is one of the biggest challenges. WhiteHat’s solution uses a dashboard that runs continuously, identifying vulnerabilities and tracking them until they are fixed.
“The websites that are secure are the ones that fix [vulnerabilities] within days instead of months,” he says.
Grossman says that WhiteHat scrutinizes clients’ sites the way an attacker would, searching for every possible opening.
“We simulate all different kinds of ways a bad guy might be able to exploit a site, hundreds of thousands of different ways customized for each site,” he says. “When we are done we want to make sure that no stone has been unturned.”
WhiteHat offers security through its SaaS-based Sentinel service. Sentinel begins by scanning the site and running all potential positives through WhiteHat’s Threat Research Center, a team of website security experts. It then provides a website assessment, identifying vulnerabilities and prioritizing them by severity, threat and priority. Results are reported and communicated in detail, and protection is offered to block attacks with a web application firewall (WAF) or Sourcefire integration.
“Those devices can basically block any attack coming in, to at least give you breathing room until your desk has time to fix it,” Pennington says. “In some cases, it’s a good enough solution for the problem you are trying to solve.”
Since no two major retailers’ websites are alike, WhiteHat offers a customizable solution — flaws that are spotted in automation are run through “human intelligence” to validate false positives or spot undecipherable problems.
Pennington says WhiteHat clients can see results almost instantly. For websites that originally had no such protection, they will spot an alarming number of vulnerabilities. And due to the ever-evolving changing nature of the web and the fact that attackers are constantly creating new ways to attack sites, ongoing vigilance can spot new vulnerabilities.
“We find that our customers are fixing a larger percentage of vulnerabilities over time and at a faster rate,” Grossman says. “Things are getting better and their sites are turning in the right direction.”