The Security Conscious Partner

With Nathanael Tombs, Security Practice Lead

With trust so critical in ecommerce, it’s imperative that any business that collects customer data or operates an ecommerce channel has a secure website. Businesses should consider having a security protocol set in place to help identify vulnerabilities within their websites to ensure the protection of their company and customer’s private information. Without one, your business could become an easy target for hackers to gain sensitive information, and do irreparable harm to your business. This is where Gorilla Group’s Security offering can help your business stay ahead of these ever-evolving threats.

A recent example of a flawed security protocol is the payment breach that happened to Wawa. The convenience store and gas station, primarily located on the east coast, found malware installed on its payment processing systems. According to ZDNet, the malware was installed on March 4, 2019, and was potentially being run at all Wawa locations (over 860 stores), not being discovered until December 10, and then removed on December 12. The malware was configured to collect payment information through its point-of-sale systems, collecting credit and debit card numbers, cardholder names, and expiration dates. Instances like this can easily be avoided by taking the time to have a security protocol set in place to make certain the protection of the company and the customer’s private information.

Another example of a breach in security is the Capital One hack that happened in July of 2019. The bank suffered a massive data breach that exposed the personal and financial information of over 100 million customers. A former Amazon tech company software engineer was able to exploit a misconfigured web application firewall and gain access to private information. According to a Wired article, the breach “exposed 106 million credit card applications which included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data”. This goes to show that anywhere from banks to convenience stores can fall victim to a security breach, which further drives home the importance of a strict security protocol.

Anyone can Google “web application scanners” and find thousands of generic scanners that could potentially be used. The problem with these scanners is that they do some things well, but not everything that an ecommerce website would need in terms of finding vulnerabilities. Most web application scanners are masters of none, they operate with signatures and have a specific database of things to look for, even if a vulnerability is found, these scanners can do nothing to help fix the problem.

Gorilla Group goes about security audits a bit differently. We use a multitude of different scanners, including one we built ourselves, in order to make sure everything is accounted for. We use a multi-component toolset, which is part of our DevSecOps strategy and allows us to give our clients the most thorough security audit possible.

While we use a range of best-in-class tools, we addressed a gap in current offerings by building our own Gorilla Security Scanner. With the creation of the Gorilla Security Scanner, we are able to look for common application misconfigurations, JS malware signatures, and common endpoints. It searches for common Magento and SAP Commerce vulnerabilities across our entire client base. If we see an irregularity with one client, we can programmatically see if the same issue is occurring across our entire client base. We have eyes on a large variety of different builds and setups manifested in our own security tool, which allows us to stay on top of potential issues as they arise.

Gorilla also has a vulnerability management platform called BlackWatch. It allows us to run a wide variety of scans, which aggregate, standardize, and filter results within a single dashboard. The difficult thing about using multiple different security scanners is the fact that they each produce results in different formats. A huge benefit of BlackWatch is the fact that it enables us to produce unified, customizable reports, which can be formatted into a PDF for easy readability. BlackWatch shows us what alerts are active, verified, and mitigated. Plus, we can edit findings appropriately and get rid of false positives as need be, creating a seamless experience for our clients.

Incorporating effective security practices for your business’s website is critical and will pay off in the long run by avoiding potential data breaches. For more information on Gorilla’s Security Offering, and how we can help your business stay protected, contact us.