Retail and e-commerce organizations are major targets this time of year, which is why proactive security testing is essential to preparing for a potential onslaught of malicious attacks. Why are retailers using security researchers to mitigate risk this holiday shopping season? We spoke with several HackerOne customers in retail and e-commerce to provide insights unique to their industry.
1. Diverse Skillsets and Creativity
Retail and e-commerce organizations leverage the diverse skillsets and creativity of security researchers to take an outsider’s mindset during the holiday shopping season.
“HackerOne’s global community of ethical hackers has broadened our security testing capabilities. We connect with a diverse group of hackers, each bringing their specialties and strengths to the table. This diversity is an essential asset because there’s no one-size-fits-all approach. Some focus on specific attacks, while others excel at identifying a wide range of vulnerabilities across our assets. This variety helps us uncover potential security gaps that we might overlook otherwise.”
— Isaiah Grigsby, Senior Application Security Engineer, REI
“The creativity of hackers is key to hardening our attack surface. When we receive a creative proof of concept (POC) from a hacker, we can use that process to review and verify that the specific vulnerability (or a similar one) is not reproducible on new assets. This approach gives us insights into where potential vulnerabilities might be and led us to introduce new cross-checking activities as part of the investigation and remediation process to verify a single risk on multiple components, such as inherited code into new assets.”
— Feliks Voskoboynik, CISO, AS Watson
“Bug bounty programs provide companies a way to connect with a global talent pool of security researchers who serve as an extension of the company’s security team and can be available at all times to find and report vulnerabilities in exchange for bounty payments and reputation. This constructive collaboration allows companies to tap into subject matter experts at any given time, with the end goal of making the internet safer for all of us.”
— Alejandro Federico Iacobelli, Application Security Director, Mercado Libre
2. Actionable Insights
Retail and e-commerce organizations can then take the insights researchers provide and transform them into preventative actions, from SDLC refinement to training programs.
“The vulnerability insights from our bug bounty program have enabled us to find improvement opportunities throughout the security development lifecycle (SDLC) and proactively reduce vulnerabilities like XSS by 98%.”
— Alejandro Iacobelli, Application Security Senior Manager, Mercado Libre
“Specific findings of hackers enabled us to build a new secure code training program for our development teams. We monitor the trends of vulnerabilities and leverage them to build a training baseline to reduce the risks to our assets. The training program has helped us increase the quality of the code and reduce vulnerabilities. It’s also increased our prevention capabilities by shifting left as much as possible to secure the SDLC. We noticed a decrease in total valid reports over the years, and we lowered costs remediating issues in live environments.”
— Feliks Voskoboynik, CISO, AS Watson
“At REI, we focus on finding critical vulnerabilities that could affect our customers’ data and overall application security. We pay close attention to issues like authentication and authorization flaws, injection vulnerabilities, and anything that could lead to data breaches. We’re always ready to act on the findings we receive with a process for reviewing reports and prioritizing vulnerabilities based on their potential impact so we can fix them quickly. By prioritizing these bugs, we aim to strengthen our security and create a safe, reliable environment for our users.”
— Isaiah Grigsby, Senior Application Security Engineer, REI
3. Scale
As organizations grow, so does their attack surface, combined with the ever-more sophisticated attacks from one holiday shopping season to the next. Retailers, however, can benefit from the extensive pool of security researchers that is always learning and developing their tools and skillsets to keep up with the criminals.
“As our e-commerce business grows, we need to scale our reactive security strategy across a growing attack surface so we can meet customer needs, ensure privacy, adhere to compliance regulations, and deliver our software as securely as possible. We needed a partner like HackerOne, to bring a community of security researchers that provide diverse vulnerability insights across our digital assets to help us maximize our efforts.”
— Alejandro Iacobelli, Application Security Senior Manager, Mercado Libre
“We initially started with a private bug bounty program to establish a foundation for security testing. After a few months of having a successful private bug bounty program, we transitioned to a public vulnerability disclosure program, which allows us to receive and manage vulnerability reports from third-party researchers. As our program has evolved, we’ve also introduced a public bug bounty program, enabling us to leverage the diverse skills of a global community. This progression has been instrumental in maturing our application security efforts and building a world-class security program.”
— Isaiah Grigsby, Senior Application Security Engineer, REI
“HackerOne has advanced our levels of cybersecurity across AS Watson. Our program continues to grow, and HackerOne has helped us identify and prioritize where our focus needs to be. Over the years, we have recognized an extensive amount of new vulnerabilities and high-risk issues that have improved the overall security posture of our internet-facing assets and have strengthened our cybersecurity program.”
— Besmir Marku, Head of Technology and Application Security, AS Watson
To learn more about how your organization can get ahead of the holiday shopping season risks, download the 8th Annual Hacker-Powered Security Report: Retail and E-commerce Edition.