Outpost24, an innovator in identifying and managing cybersecurity exposure, has announced the results of the ‘2020 Web Application Security for Retail & E-commerce Report’, which analysed the web applications of the top 20 retailers in the US and EU. Research shows exploits targeted at web applications remain one of e-commerce’s most significant threats. Using an average risk exposure score based on Outpost24’s multi-layered attack surface discovery tool, Scout, the findings revealed that web applications used by US retailers were more at risk with an aggregated average risk score of 35 against a maximum score of 42.33, which was higher than their EU counterparts at 31.
On average, the report found US retailers to be running more publicly exposed web applications (3,357) compared to EU retailers, which ran fewer applications (2,799). Yet, despite having a smaller attack surface, EU retailers had a higher percentage of applications using old components that contained vulnerabilities (27%) as opposed to their American rivals (22%). Nonetheless, all retailers had security risks within their web environments that could expose them and their customer data they hold to potential exploitation and compromise.
The list of retailers were chosen based on Deloitte’s ‘Global Powers of Retailing Report 2019’ and had their public-facing web security environments analysed against the seven most common attack vectors used by hackers during reconnaissance, to ascertain the risk score, including Security Mechanisms, Page Creations Methods, Degree of Distribution, Authentication, Input Vectors, Active Contents and Cookies (score 1-100 each).
Security Mechanisms was the single biggest attack vector for both EU and US retailers, attaining a risk exposure score of 90.5 and 99 respectively. For retailers using HTTP websites, and not restricting access to adversaries trying to get into unsecured parts of a site without encryption, this will contribute to a higher attack surface score. Active Content, which observed how web applications were running scripts, was the second most dangerous as both US and EU retailers acquired scores of 88 or more. Third highest was Degree of Distribution with all retailers attaining scores higher than 77.9, which is attributed to the high number of product pages commonly found on large e-commerce sites making it difficult to secure everything.
Nicolas Renard, Security Analyst at Outpost24 said: “Hackers are masters of reconnaissance and will go to great lengths to identify weak spots in their target. The rather high-risk exposure score among the top retailers is a worrying trend, as bigger attack surfaces create more opportunity for bad actors to find holes in their security defence and execute potential exploits.”
Outpost24’s Scout tool also examined the components that were used to develop the web applications and discovered that 90% of EU retailers and 50% of US retailers are currently running outdated jQuery versions on their applications which could expose them to common cross-site scripting attacks. Furthermore, the top retailers are found to be using a variety of outdated servers to run their applications, making their shared hosting environments vulnerable to unauthorised access through potential exploitation of known vulnerabilities.
Stephane Konarkowski, Security Analyst at Outpost24 said: “How the web application is built and developed is a key risk indicator if you know where to look. Our research shows the complexity of modern-day applications and the need for retail organisations to understand their attack surface and risk levels. To avoid data breach and the loss of customer trust and revenue, retailers must address security hygiene as an essential step to protect their web applications and ensure the attack surface is kept at a minimum through continuous assessment.”