In this interview with Scott Gerlach, CSO and co-founder of StackHawk, we delve into the challenges and solutions surrounding cybersecurity in the e-commerce sector, as the demand for software development skyrockets and the need for secure code and API practices becomes more critical than ever.
How has the rise in e-commerce in recent years impacted the demand for software development and contributed to the challenges of ensuring secure code and API practices?
With the expanded digitization of shopping experiences, online payment methods, and targeted social media marketing, the modern consumer is using their mobile device and software applications more than ever to conduct their shopping sprees. Worldwide ecommerce sales are predicted to soar to a total of $6.3 trillion USD in 2024, a 9.4% increase from 2023, and a growth rate that’s only expected to keep climbing over the next few years, according to Shopify. The overwhelming success of online storefronts and digital payment processing for retailers of all sizes are marking a pivotal shift toward e-marketplaces for shoppers on a global scale. In 2026, nearly a quarter (24%) of retail purchases are predicted to happen online, highlighting a growing trend toward ecommerce that’s not slowing down any time soon.
Because of this growing business opportunity and expectations from consumers for user-friendly online shopping experiences, online retailers and e-payment solution providers are pressured to perform, meaning their software developers are in the hot seat to rush and deploy applications quickly so shoppers can start using them.
Due to increased pressure from consumers, shareholders, board members, and executive leadership, software developers and engineering teams need tools that enable application and API security testing in pre-production and production phases to meet hard deadlines. Vulnerabilities and bugs can already go undetected from insufficient API security testing procedures and/or human error, but adding in both external and internal pressures to push out applications sooner to meet high demand for next-level online shopping experiences can exacerbate the chance for a vulnerability to wreak havoc. Can you provide insights into the specific tactics cybercriminals are using to exploit API vulnerabilities within the online shopping process?
The massive shift to hybrid and entirely digital storefronts for today’s modern retailers has created an opportunistic environment for attackers to exploit undetected API vulnerabilities within your IT infrastructure. With ecommerce on a roll and growing steadily every year, savvy cyber criminals are motivated to capitalize on this opportunity – while businesses are focused on maximizing revenue with deals, new products, and heightened ad/marketing spending, malicious threat actors attempt to take such businesses and reputable retailers down for ransom because they’re more likely to pay and make it go away, so as not to heavily impact their bottom line.
Cybercriminals are still exploiting simple and detectable vulnerabilities like SQL injection or command injection. These vulnerabilities are often the low-hanging fruit that attackers check first. However, with the proliferation of APIs, attack tactics are becoming more complex but equally effective. Cybercriminals realize that data from one API can be leveraged in an attack chain against another. So, they're piecing together vulnerabilities in different APIs to escalate their attacks.
Modern attackers are also increasingly targeting authorization mechanisms. This means they are looking for ways to manipulate access control to gain unauthorized access to data or functionalities. These attacks can be harder to detect as they involve chaining multiple steps together, each exploiting a small vulnerability.
Given the significant spike in online transactions and data exchanges, what are the most common risks and threats that businesses face, especially when security teams may be under-staffed or experiencing burnout?
Because malicious cyber activity never takes a vacation, we often forget that security teams and DevSecOps experts need breaks, too. While board teams and investors are eager to reap the benefits of the business opportunity and value that embracing the shift to e-commerce offers, cyber criminals see this wave of uncharted territory for some retailers as a time to attack, especially when security experts and their teams are stretched thin. Even with team members on-call, security teams often find themselves understaffed and overwhelmed, leaving more room for human error to miss a step in protocol or not catch a vulnerability in ample time, potentially causing a breach. In fact, 77% of security team members reported their stress levels having a direct impact on their ability to secure customer data, according to Devo.
One common way cyber criminals can gain access to your data is through an open, yet undetected, back door, otherwise known as a zombie API. Today’s software organizations average upwards of 15,000 APIs in their attack surface. Even if an organization is already implementing a robust API/application security strategy, with security experts and developers working overtime to meet deadlines with high performing applications, and employee burnout always a factor, it can be easy for at least one zombie API to remain active, untested and therefore, vulnerable. With an influx of personal data being shared through e-commerce transactions, hackers only need to find one zombie API to open the door to an organization’s entire arsenal of data.
What measures can help organizations enhance their cybersecurity posture and protect against this threat?
Testing all APIs regularly and diligently with a robust, clear API security strategy in place is key to protecting against any shopping holiday-related cyber threats. Organizations should leverage modern DAST tools to test a running version of their application and APIs against real-world hacking scenarios before deployment. In the process, they should test with various types of data, since each might help discover different error cases or potential vulnerabilities. It’s also important to pair pre-production testing with tools that monitor production traffic for real-time attacks for maximum coverage.
Organizations looking to enhance their cybersecurity posture should also make an effort to discover/uncover existing APIs to ensure shadow or zombie APIs do not compromise a business’s IT infrastructure. To start this process, security teams should start with the code itself, instead of waiting for anomalous traffic to hit undocumented APIs to discover they exist. Security teams should also rely on their counterpart - software developers. By working closely with the individuals that actually wrote the code, security experts and developers can work together to identify which environments contain APIs transmitting sensitive data, even if they are deemed “undocumented.”