This cyber security update is brought to you by Fortinet, an SPTel Cyber Security Partner
By Brian Schwarz | December 04, 2020
It’s no surprise that e-commerce shows continued growth this year as people increasingly rely on online shopping during the pandemic. In November, the U.S. Department of Commerce reported that e-commerce increased almost 37% in Q3 2020 compared to the previous year and it’s safe to predict that this growth trend will continue to accelerate with many the world experiencing new waves and mutations of the virus.
The consequence of this trend? We have seen a rise in cyberattacks on the web infrastructure that supports online shopping and will likely continue to do so through the rest of 2021. In fact, Fortinet’s FortiGuard Labs has reported a steady increase in e-commerce attacks recently.
If you’re responsible for your corporate ecommerce infrastructure, you have two imperatives that don’t always play well together. The first imperative is to deliver the kind of dynamic and engaging shopping experience that gets buyers to purchase, and the second is to secure the rapidly changing web application that delivers that experience. And the attack surface of those applications isn’t what it used to be. Increasingly, those web applications expose APIs to the outside world so that your customers can purchase using mobile applications – HTML isn’t just being pushed out anymore.
Securing Your APIs
Certainly, one way to secure these APIs is to implement rigorous coding standards. Sensitive data shouldn’t be made available to the client unnecessarily. Rate limits should be imposed to prevent abuse of the API for bulk data harvesting. The server should be doing the heavy lifting, so the API shouldn’t enable mobile clients to download data above and beyond what’s required. Only well-vetted authentication and encryption protocols should be used. And good coding practices, such as avoiding the issues outlined in the OWASP API Security Top 10 (the younger sibling of the more familiar OWASP Top 10) should be followed. But what if you’re not the developer, and your responsibility is securing the deployment of an application?
Relying on your DevOps team may not be the best place to implement security controls for your API. Application developers are typically evaluated on feature delivery, uptime, and other metrics. Ideally, security is somewhere on their list, but in practice, consistently making security a top priority is a challenge, especially when a DevOps team may not have extensive cybersecurity skills. Even when a development team does focus on application security, having multiple application teams implementing their own approaches to application security can leave your security team in the dark. Without a clear view of security events across all of your web applications, you are exposing your applications — and your organization — to unnecessary and serious risk. An external security control is critical to give you the control and visibility you need.
A Web Application Firewall With API Security Protects Organizations From Online Shopping Threats
For years, the industry has been deploying Web Application Firewalls (WAFs) to protect applications from common threats like SQL injection attacks and cross-site scripting. But as the digital attack surface continues to grow, organizations need to extend the WAF concept to encompass Web Application and API Protection (WAAP). What form should the API security take? Your solution needs to support the following basic API gateway capabilities:
- Protection against automated attacks, including rate limiting to prevent abuse of your API for either credential abuse or bulk data harvesting
- The ability to manage API keys that can enable access to specific APIs for your trusted business partners
- The ability to implement a positive security model, validating users input against the developer’s own definitions, in OpenAPI or other formats
If you’re deploying APIs to support mobile e-commerce applications for your customers (or, really, for any other kind of application), adopt a WAF solution that includes API security. And if you’ve already deployed the API and do not yet have a security solution in place, it is not too late to implement one. A solution like FortiWeb Cloud—with its included API security module—can be easily deployed and managed within minutes, supporting organizations in either scenario.
Deploying cyber security effectively
Beyond looking at your cyber security solution, you should also consider how your business can improve cyber security deployment for your corporate network. By choosing a network provider with software defined networking capabilities, you’ll have the option to choose a virtualised mode of deployment which can allow you to turn on additional cyber security requirements as needed to react quickly to new threats in the market. This frees you from having to rely on traditional box solutions that are less flexible and scalable.
SPTel has partnered with Fortinet to deliver their best in class, virtual WAF and next generation firewall solutions on top of our clean pipe business class digital network to provide organisations with on demand virtual cyber security that can be customised to their needs. Delivered on an end-to-end software defined network with network functions virtualisation, you’ll benefit from digitalised provisioning for on demand, real-time responsiveness. As part of our business standard of care, DDoS attacks will be actively detected and alerted by default for all SPTel Internet line subscribers. DDoS attack mitigation can also be provisioned as required, on demand for enhanced threat responsiveness for your organisation.
Learn more about SPTel’s Managed Perimeter Protection solutions here.