skip navigation
skip mega-menu

Cyber Security Essentials for Websites and Applications

Safeguarding E-Commerce Success

With e-commerce thriving as a cornerstone of retail, securing websites and applications has never been more critical. Cyber criminals target vulnerabilities in commercial platforms and websites to exploit sensitive customer data and disrupt operations.

This month, we explore the cyber threats and implications facing online retail and e-commerce, as well as delving into some best practices and frameworks like OWASP, and secure development methodologies, to help organisations stay secure online.


Why Application Security Matters for E-Commerce

Threat Landscape

Cyber crime targeting e-commerce platforms remains a top concern, according to the NCSC, 50% of UK businesses experienced a cyber attack in 2023 alone. 18% of breaches that were reported in 2023 to the Information Commissioner’s Office (ICO) were in the retail sector.

Rising Threats

Cyber crime targeting online businesses in the UK is being driven by increasingly sophisticated attacks, with the number of affected businesses only set to increase year on year. Common threats include SQL injection, cross-site scripting (XSS), and API breaches.

Impact

A single breach can result in financial loss, reputational damage, and even regulatory penalties. For example, Magecart’s attacks on British Airways showcased the devastating impact of compromised third-party integrations, resulting in the flag carrier airline having to pay a £20m data protection fine. [source: The Register]

Trust and Loyalty

Ensuring robust security builds customer trust, enhances brand reputation, and protects critical data like payment information and personal details.


The Rise of API Breaches and the Importance of Secure Third-Party Integrations

APIs (Application Programming Interfaces) are the backbone of modern web applications, enabling integration between systems, other applications, and services. According to Business Wire, a survey in 2022 found that 97% of enterprise business leaders agree that successfully executing an API strategy is essential to secure organisations’ future revenue and growth.

However, their rapid adoption has also made them a prime target for attackers. In 2021, Gartner predicted that APIs would become the top attack vector used to target applications.

Fast forward to 2024 and there have already been some notable breaches:

Peloton API Breach (2021)

Hackers exploited a vulnerability in Peloton’s API that enabled users to make an unauthenticated request for account data to the API without the API first verifying if that user has authorisation to access said data.

The API enables the end users’ bikes to capture and upload data back to Peloton’s servers. Sensitive user data for around 3 million individuals was exposed due to insecure API configurations.

This included personal details such as names, emails, and workout statistics. Peloton’s inadequate authentication and authorisation measures highlighted the critical need for robust API security protocols. [source: Threatpost]

Facebook Data Breach (2021)

An API misconfiguration in Facebook’s (Meta’s) contact importer feature was exploited by malicious actors, exposing the personal data of approximately 533 million users from 106 countries.

Personal data such as phone numbers, full names, and locations were leaked, with the issue originally stemming from scraping public profiles before the vulnerability was patched in 2019. [source: Twingate]


Best Practices for Web Application Security

Penetration Testing

Penetration testing is a cornerstone of application security, especially for retail and e-commerce businesses handling vast amounts sensitive customer data and requiring 24/7 availability online. 

While large enterprises like Amazon may have the capacity to conduct internal pen testing, most organisations in this space face cost and resource constraints that make outsourcing these services more practical and effective. Partnering with external cyber security experts provides access to specialised skills, tools, and up-to-date threat intelligence that many internal teams simply can’t maintain.

Moreover, hiring third-party testers eliminates the bias that might come with in-house testing and ensures that vulnerabilities are approached with a fresh perspective. The cost of penetration testing is often outweighed by the potential financial and reputational damage of a breach, particularly in high-stakes industries like retail. 

Independent testing not only provides peace of mind but also aligns with compliance requirements and industry best practices, ensuring businesses are well-protected against the ever-evolving threat landscape.

Code Reviews

Code reviews are an essential part of any secure development process, ensuring that security vulnerabilities are caught early in the development lifecycle. This practice involves systematically examining source code to identify flaws, errors, or opportunities for improvement, with a strong focus on maintaining high security standards.

For retail and e-commerce businesses, where customer trust is paramount, code reviews play a vital role in protecting sensitive user data and ensuring seamless functionality. Conducting thorough code reviews:

  • Identifies Common Vulnerabilities: Helps uncover issues such as injection flaws, insecure data handling, and authentication weaknesses, which align with risks highlighted in the OWASP Top 10.
  • Enhances Collaboration: Encourages teamwork among developers, fostering a culture of accountability and shared responsibility for secure coding practices.
  • Reduces Costs: Fixing security vulnerabilities during development is significantly less expensive than addressing them after deployment or following a breach.

Given the fast pace of the e-commerce sector, it may be tempting to bypass code reviews to save time. However, the long-term risks far outweigh the short-term gains. Engaging third-party experts or employing tools like static application security testing (SAST) solutions can streamline this process, providing an additional layer of confidence before your code goes live.

Ultimately, code reviews are more than just a quality check—they are a proactive defence against cyber threats, reinforcing the integrity of your applications from the very foundation.


Open Web Application Security Project
Top 10 Vulnerabilities

OWASP (Open Web Application Security Project) offers a globally recognised framework for understanding the most common and prevalent risks facing open web and mobile applications.

Here’s a snapshot of the OWASP Top 10 vulnerabilities every e-commerce platform must address:

1. Broken Access Control: Unrestricted access to sensitive functionalities or files.

2. Cryptographic Failures: Insufficient cryptographic mechanisms leading to compromise of sensitive data.

3. Injection: Exploiting input fields to manipulate databases or applications (e.g., SQL Injection).

4. Insecure Design: A broad category representing different weaknesses, expressed as “missing or ineffective control design”.

5. Security Misconfiguration: Default settings or unpatched software creating vulnerabilities.

6. Vulnerable and Outdated Components: Relying on outdated libraries and frameworks, or application technologies with known vulnerabilities.

7. Identification and Authentication Failures: Weak authentication and authorisation processes enabling unauthorised access.

8. Software and Data Integrity Failures: Code and infrastructure that does not sufficiently protect against integrity violations 

9. Security Logging and Monitoring Failures: Insufficient logging, detection, monitoring, and active response, enabling unnoticed breaches. The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

10. Server-Side Request Forgery (SSRF): SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). This is increasingly common in modern web applications.

 

Secure Development Life Cycle (SDLC)

SDLC emphasises embedding security into every stage of the development process, from ideation to deployment. Key steps include:

  • Planning: Identify security requirements early.
  • Design: Threat modelling to anticipate potential attack vectors.
  • Implementation: Use secure coding practices and tools to detect vulnerabilities in real time.
  • Testing: Conduct automated and manual tests, including code reviews and penetration testing.
  • Deployment: Monitor applications continuously and ensure robust change management.
  • Maintenance: Regularly update, patch, and audit systems post-launch.

More information about SDLC practices can be found here.


Application Security is Essential

Application security is not a luxury but a necessity, particularly for retail and e-commerce businesses. However, by leveraging frameworks like OWASP and embedding security into every stage of the Secure Development Lifecycle, online businesses can proactively identify and address vulnerabilities before they become costly breaches.

From securing APIs to conducting regular penetration tests with trusted third-party experts, these measures not only reduce risk but also bolster consumer confidence, a critical asset in an increasingly competitive online market. Prioritising robust cyber security practices ensures your e-commerce platform remains resilient against pervasive online threats, safeguarding your operations, brand, and the trust of your customers.

As you build or launch new applications, it’s important to remember that cyber security isn’t a one-time task but an ongoing commitment. By implementing and maintaining some of the best practices we have covered, you can create a safer digital experience for your users while protecting your business’s reputation and revenue.

Tools and Resources for Strengthening Security

Explore jobs at CyberLab

Cyber Security Account Executive

CyberLab is a specialist cyber security company that provides a wide range of security solutions and services. Your one-stop cyber security advisor, the CyberLab team is equipped with the right technology, knowledge, and expertise to help businesses of all sizes, including large public sector organisations.By leveraging world-class technology, decades of experience, and our vendor partnerships, we have helped to secure thousands of organisations across the UK. Our unique Detect, Protect, Support approach makes us the perfect partner to review and reinforce your cyber security defences.  "a great place to work a great place to be a customer"The CyberLab team are proud to help protect over 1000 of the UK’s blue-chip enterprise businesses, government departments, and household names.We have helped organisations of all shapes and sizes to improve their cyber security:"With continued support from CyberLab we are able to ensure our solutions are always fit for purpose.” - Andrew Chaplin, IT infrastructure, Spicerhaart “Having usedOur customers rate us as Excellent on TrustPilot CyberLab before in a previous Head of IT role, I had no hesitation in engaging them again to assist us with our security needs. Simply, I wouldn’t use them if they didn’t consistently deliver value.” - Head of IT, NHS Trust “CyberLab are always there to help. Being able to pick up the phone or email and have access to a dedicated account manager who is always there to assist provides excellent value for us." - Simon Hobdell, Technical Team Leader, Buckinghamshire Council  CyberLab, a specialist cyber security company combining Chess Cyber Security, Armadillo Sec and Cyberlab ConsultingOur HistorySince the acquisition of Foursys in 2017, Chess has been on a journey to becoming a cyber security powerhouse. In 2021, 15 of the UK’s top Penetration Test experts joined the company through the acquisition of Armadillo Sec. In 2023, Chess acquired Cyberlab Consulting, a specialist cyber security consultancy that provides a range of compliance and managed security services, including a cyber security as a service (CSaaS) platform.In May 2023, Chess Cyber Security became independent from Chess ICT, bringing all of our cyber security operations under the CyberLab banner – a specialist cyber security company combining Chess Cyber Security, Armadillo Sec and Cyberlab Consulting into one entity, providing a one-stop shop for all UK business Security needs.

CyberLab
Cyber Security Account Director

CyberLab is a specialist cyber security company that provides a wide range of security solutions and services. Your one-stop cyber security advisor, the CyberLab team is equipped with the right technology, knowledge, and expertise to help businesses of all sizes, including large public sector organisations.By leveraging world-class technology, decades of experience, and our vendor partnerships, we have helped to secure thousands of organisations across the UK. Our unique Detect, Protect, Support approach makes us the perfect partner to review and reinforce your cyber security defences.  "a great place to work a great place to be a customer"The CyberLab team are proud to help protect over 1000 of the UK’s blue-chip enterprise businesses, government departments, and household names.We have helped organisations of all shapes and sizes to improve their cyber security:"With continued support from CyberLab we are able to ensure our solutions are always fit for purpose.” - Andrew Chaplin, IT infrastructure, Spicerhaart “Having usedOur customers rate us as Excellent on TrustPilot CyberLab before in a previous Head of IT role, I had no hesitation in engaging them again to assist us with our security needs. Simply, I wouldn’t use them if they didn’t consistently deliver value.” - Head of IT, NHS Trust “CyberLab are always there to help. Being able to pick up the phone or email and have access to a dedicated account manager who is always there to assist provides excellent value for us." - Simon Hobdell, Technical Team Leader, Buckinghamshire Council  CyberLab, a specialist cyber security company combining Chess Cyber Security, Armadillo Sec and Cyberlab ConsultingOur HistorySince the acquisition of Foursys in 2017, Chess has been on a journey to becoming a cyber security powerhouse. In 2021, 15 of the UK’s top Penetration Test experts joined the company through the acquisition of Armadillo Sec. In 2023, Chess acquired Cyberlab Consulting, a specialist cyber security consultancy that provides a range of compliance and managed security services, including a cyber security as a service (CSaaS) platform.In May 2023, Chess Cyber Security became independent from Chess ICT, bringing all of our cyber security operations under the CyberLab banner – a specialist cyber security company combining Chess Cyber Security, Armadillo Sec and Cyberlab Consulting into one entity, providing a one-stop shop for all UK business Security needs.

CyberLab

Subscribe to our newsletter

Sign up here