Cybersecurity is no longer the sole domain of ethical hackers and government agencies. If you’re conducting any type of commerce online, in web development, or simply a day trader, it should be foremost in your mind.
Threats trend up and down with regularity. Ransomware attacks have decreased, but cryptojacking is up, for example.
One thing remains consistent: hackers are usually one step ahead, and few of them are ever brought to justice.
The first steps in protecting business websites and apps is awareness of the threats and knowledge about how to proactively defend customer data.
How At-Risk is Your Website?
Although statistics show that the majority of business owners and apps developers feel they’ve achieved the level of security necessary to fend off a cyber exploit, less than half have done anything concrete to protect their platforms.
The 5 sectors most targeted by hackers are:
- Financial services
- Government agencies
- Educational institutions
It isn’t only large enterprises that get hacked, either. Nearly half of all attacks are against SMBs, who are less likely to have the budget, infrastructure, and in-house expertise to secure their networks.
Even more alarming are the cyber-crime statistics regarding apps, which are the primary user platform for investments and banking. One study found that 97 percent of financial mobile apps contained exposed source code and other vulnerabilities.
That means it’s essential to proactively protect investment and trading platforms, whose infrastructure and databases are easy targets for exploitation.
It’s proven that cyber crime has a direct effect on eCommerce technologies. How can developers use this information to build secure platforms?
Practice Security by Design
Too often, website and app security are implemented after the fact rather than built into the design. Security by Design (SbD) is a mindset that shifts the previous paradigm to one that assumes your software and infrastructure will be attacked.
Security by design involves five phases of the software development life cycle thus:
* Requirement analysis: Pay special attention to how users will interact with the app or platform, as well as how it will interact with the environment. Vulnerabilities overlooked at this stage will be compounded later in the production process.
* Design: Most security flaws are introduced or discovered later, during the implementation phase. However, flaws overlooked at the design stage are the most costly and difficult to undo.
On the systematic level, work to reduce the attack surface and gain insight into how threats affect design choices and vice-versa. At the component level, examine how each module and bit of code can be produced inserted with security in mind.
* Implementation: While coding is rarely straightforward, and the list of considerations seems to grow by the day, there are still standard best practices that will minimize the odds of overlooking issues and creating poorly conceived apps.
– Practice proper error handling
– Avoid dangerous or lazy code constructs
– Implement solid input validation and encryption standards
– Ensure secure communications at all levels
* Testing and deployment: Testing must be more intense and focus not just on separate components, but on the user/software operating environment. That means not only considering OS, network configuration, and setup, but also logging and system monitoring.
* Maintenance: Maintenance goes beyond creating patches and releasing updates to include;
– Understanding current app security infrastructure
– Creating and maintaining proper documentation that matches each and every
– Auditing proposed changes and their possible effect on overall stability and
For further reading, the IOSR Journal of Computer Engineering (IOSR-JCE) produced an excellent paper on design and implementation of secured eCommerce systems. It’s a 10 minute read with lots of good information.
Test and Test Again
The importance of comprehensive system/app assessment and testing cannot be overstated. This should involve a multi-faceted approach that includes:
* Vulnerability assessments to identify, evaluate, and prioritize flaws inherent in the system
* Risk assessment to uncover and prioritize risks while performing various activities. This is more granular and focused than a general systematic vulnerability assessment.
* Pen testing to uncover and fix any vulnerabilities from outside exploitation.
Put Up as Many Barriers as Possible
Aside from political hacktivists and those just in it for the lulz, most hackers are looking to make a buck. They want networks that are easy to exploit through human complacency rather than a challenge.
While firewalls or other barriers alone won’t deter many cyber criminals, putting up multiple barriers increases the risk of detection and makes the effort less appealing than the possible reward. In fact, 68 percent of black hat hackers surveyed say the biggest barriers to network and account penetration are encryption and multi-factor authentication.
Build for Compliance
There are several standards for data and security compliance, and government agencies are becoming increasingly involved in the name of consumer protection. The two main standards for eCommerce and business in general are the Payment Card Industry Data Security Standard (PCI DSS), which oversees standards for online credit card transaction and data transmission/storage, and the International Organization for Standardization (ISO).
Developers should pay special attention to ISO/IEC standard 27001:2013, which governs data security. Designing with compliance in mind will help your clients avoid issues down the line.
One note of caution to those looking to bootstrap ecommerce businesses, shared server solutions have become an increasing large target for malicious third parties using either manual or automated attacks. A 2020 report by Hosting Data tracked uptime on discount shared hosting solutions and found that over 1/6th of all downtime was due to DDoS attacks or automated brute force attacks. Platforms like Shopify and WordPress have done little to stop unvetted 3rd party vendors including malware on free to use products. If compliance is what you’re after using only audited enterprise software products for ecom startups provides much more security.
The Growing Threat of Online Gaming Hacking
Since early 2014 there has been a growing trend of hacks and malicious phishing against players across a multiple of ongoing gaming networks. Due to the ability of players to use digital currencies and other forms of cryptocurrency, these targets have become increasingly common.
Image via Japan gaming.
Attack vectors often include DNS hijacking, EDR attacks and phishing attempts to gain access to player wallets. The same issues highlights for ecommerce also become apparent with companies are using multiple services in a patchwork system of security.
Whatever type of eCommerce platform you develop, safeguarding business finance platforms is an important component. Hackers will go first after low-hanging fruit, but that doesn’t mean you should become complacent because you do the bare minimum in terms of cybersecurity.
Today’s exploits are more sophisticated, and the attack surface has increased exponentially with the rise of mobile apps, day trading, and decentralized networks. Every barrier you put between your clients and cyber-criminals will protect your reputation and keep them from becoming just another statistic.