Online shopping activity has proliferated in recent years. In 2022, the United States retail ecommerce ecosystem generated $856.8 billion in revenue and an estimated 2.64 billion consumers will have completed at least one purchase online by the end of this year. With the total global ecommerce sales projected to grow by 50% over the next three years, cybercriminals have pinpointed retail and e-commerce organizations as prime, lucrative attack targets. The holiday shopping season, from early November through to the new year, is often the most optimal time for attackers to strike. 

It is during this season that many engineering teams find themselves under immense pressure to push applications out faster to capitalize on consumer demand. However, accelerated production timelines often lead to cutting security corners and can result in the delivery of insecure code to meet deadlines. In addition, with a major spike in online transactions, also comes a surge of data and personal information being exchanged with multiple parties and through multiple endpoints. This is where cyber criminals threaten businesses when they least expect it, especially with security teams taking well-deserved holiday vacation, leaving less detection and response capabilities in their wake.

One of the most common tactics that attackers use to compromise retail organizations’ infrastructure, not only during the holidays, but all year round, is through attacks on their API ecosystem. APIs have been a catalyst of digital transformation and innovation for retailers in recent years, enabling them to improve their operational processes, enhance customers experience and customization, and seamlessly process payments and transitions. However, with the high volumes of sensitive data and personal identifiable information (PII) transmitted through them, attacks on APIs boast high-value returns for any willing attacker. This new reality leaves many retailers and e-commerce organizations without proper API security controls in place and vulnerable to attacks.  

So how can retail and ecommerce organizations work to protect themselves from rising API attacks, not only through this busy holiday season but beyond into 2024? Well, there are a few key components. 

Test, Test, And Test Again! 

Ultimately, the journey starts at the beginning with robust security testing. Organizations should leverage modern Dynamic Application Security Testing (DAST) tools to test a running version of their application and APIs against real-world hacking scenarios before deployment. DASTs primary capability is sending data to an API to ensure that it outputs the correct responses, which is the exact issue we are experiencing that leads to complex API attacks. In this process, organizations should test with various types of data, since sometimes you need valid data to move forward down a path, or sometimes erroneous or random data. Each different type will help discover different error cases or potential vulnerabilities. Testing in CI/CD also helps ensure that security is integrated into the development process alongside other automated software testing, like unit and integration tests. Start by automating tests for common Web application threats, such as injection attacks, sensitive data exposure, and potential XSS. It’s also important to pair pre-production testing with tools that monitor production traffic for real-time attacks for maximum coverage. 

API Discovery 

API Discovery is a crucial component of bolstering cybersecurity measures within organizations. Beyond uncovering existing APIs, it involves a proactive approach to prevent potential threats posed by shadow or zombie APIs that could compromise an organization’s IT infrastructure. To initiate this process, security teams should delve into the code itself, rather than relying solely on detecting anomalous traffic hitting undocumented APIs after the fact. By actively engaging with software developers, security teams can gain valuable insights and collaborate in real-time to identify, document, and secure APIs effectively. This collaborative effort ensures a proactive stance against potential security risks, enhancing the overall resilience of the organization’s cybersecurity posture.

Effective Collaboration

Effective collaboration is the lifeblood of successful software development projects. By working closely with the individuals that actually write the code, security experts and developers can quickly identify and understand which environments contain APIs transmitting sensitive data, even if they are deemed “undocumented.” With strong collaboration and communication from these two key roles, organizations are well positioned to address security vulnerabilities faster and improve time-to-fix ratios. 

Automate Where Possible 

Automating security testing is another highly critical practice to keep applications and APIs secure, especially during the holidays, when less personnel are on hand monitoring and scanning environments. Implementing and deploying solutions that can detect, notify and respond to code and application deviations is key to protecting critical assets and sensitive data. 

While there is no silver bullet for protecting against increasing API security attacks, incorporating these steps will help organizations considerably reduce their attack surface and improve the strength and resilience of their overall API security posture. 

About the author

Scott Gerlach is the CSO and Co-Founder of StackHawk. Gerlach has over two decades of security and engineering experience, having served as CSO, CISO, and in other executive leadership functions at companies like SendGrid, Twilio and GoDaddy.

StackHawk is an application security testing tool that was built to help developers find, triage, and fix security bugs in their applications. Instead of scanning static code, StackHawk finds bugs that you or your team may have written into the code by scanning a running version of your application.