Application Security

Five App Security Predictions for 2021: BOPIS, Flash Sales, Discord, GraphQL and DevSecOps

Application Security Predictions

2020 will forever be known as the Year of COVID. The way we live, work, play and shop all radically changed to mitigate COVID risks. Stay-at-home orders pushed record numbers of shoppers online. This further accelerated the trend towards shopping on mobile devices — primarily iOS and Android flavors. Work-from-home mandates resulted in massive spikes in demand for remote work functionalities and apps. What we did online, too, changed dramatically; we began playing more video games, consuming more movies and television programs, and spending more time on social networks. Consumption of online education and games soared. Food delivery, like DoorDash, GrubHub and UberEats, went from niche to mainstay. We stopped booking on travel sites, stayed out of planes, and instead rented cars and cozied up in our local AirBnBs for quick, close-by staycays. App stores and web apps occupied an even bigger part of our tech lives as they continued to gain ground on platform-centric desktop apps. And, for app security, 2020 caused considerable chaos and a rise in demand for more modern approaches.

Cybercriminals followed all these trends closely and responded with an increased volume of attacks to capitalize on the opportunity and capture sensitive data and compromise data security. This put additional pressure on app developers to improve web application security without compromising user experience. The cybercriminals also swam upstream to execute more credential stuffing attacks against financial services firms - stealing thousands or tens of thousands of dollars per breached account. The SEC suggested that member banks and brokers undertake additional monitoring and behavioral detection approaches in addition to Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”) and multi-factor authentication. We are all hopeful that 2021 will be less disruptive for application security. We polled our team and our customers on trends they see accelerating in the next year. Here are our top five predictions for 2021, ranging from profound technical shifts in APIs to limited edition merchandise drops going mainstream. We hope, also, that these predictions can help inform app security best practices and highlight the need for holistic web application security that protects against automated attacks and client-side threats.

Cybercrime Communities Get Stronger

Cybercriminals have always maintained an alternative reality — aka the Dark Web — alongside a web of murky Internet Relay Chat (IRC) channels, online chat rooms, and file drops where they post accounts harvested from thousands of data breaches. Today, cybercriminals are among the most innovative users of online communications and community building tools. And they are forming stronger and stronger communities using the same popular tools used to build communities and communicate. In fact, we have observed how these popular tools are used to coordinate and bring to market online fraud and mayhem over the entire attack lifecycle. Cybercriminals are often doing this out in the open. A quick Google search turns up Discord channels and subreddits where participants discuss every known threat, including carding, account takeover (ATO), IoT botnets, malware and crackings. We also have seen evidence that cybercriminals are increasingly collaborating on attacks, and that online fraud is becoming a more mature market. Different groups now specialize in aspects of online crime, from renting out botnets for account takeover and carding attacks to coordinating human “mules” to reship illegal product purchases, to skimming, validating, and then reselling username and password pairings, aka fullz. There are even groups that specialize in exploiting different security issues. Communities and the communications tools that they use are ad hoc platforms that make this growing criminal enterprise more efficient. Cybercriminals know this, and the community technology is only getting better. So we expect cybercrime communities will grow measurably stronger to continue evading security measures and behave even more like mainstream businesses and technology sectors in 2021.

GraphQL Will Become A Major Application Security Risk

There is a significant shift underway in APIs away from REST (Representational State Transfer) to the use of GraphQL. Initially designed by a team at Facebook, GraphQL is “a query language for APIs and a runtime for fulfilling those queries with your existing data.” GraphQL is both more versatile and more powerful than REST APIs. A well-designed GraphQL API can answer a customer’s query or respond to a web application request more quickly and with fewer round trips to the origin server. With this power comes more security risk - particularly for mobile application security, where GraphQL is more common. While REST APIs tend to be confined to a limited subset of replies and data types, GraphQL APIs are expansive and are designed to handle many more types of data. This makes them harder to secure because attacks on GraphQL APIs are harder to differentiate from valid queries. Tuning network security and firewalls for GraphQL applications is more challenging due to the lack of native security features and security tools for the up-and-coming query language, and due to these tools’ limitations in differentiating between the different “APIs” hitting the same GraphQL endpoint. At the same time, API bot attacks are among the fastest-growing application security risks. The combination of growing interest in attacking APIs plus the challenges in securing GraphQL APIs equals a new and risky target that fraudsters will further exploit in 2021.

BOPIS Becomes One of the Fastest Growing Fraud Types

BOPIS stands for “Buy Online Pickup In-Store.” Already growing in popularity before COVID among larger retailers like Gap and Walmart, BOPIS has boomed due to the pandemic. Shoppers are prioritizing getting in and out of physical stores as quickly as possible. A related flavor of BOPIS, curbside pickup, has, at times, been the only way to purchase from stores in many parts of the United States and around the world. Fraudsters have recognized the value of combining account takeover (ATO) attacks with BOPIS to quickly, and sometimes continuously, milk compromised accounts for goods or services. For merchants dealing with the rapid increase in all types of online purchases, BOPIS throws a new wrinkle into application security and fraud. Beyond ATO, BOPIS also piggybacks on the growth of egift card cracking and carding attacks focused on loyalty accounts where gift card balances are stored. Egift card usage is soaring as more people elect both to give them as presents during the pandemic and to purchase them for their own personal use. A convenient and easy way to take value out of egift card accounts hacked via card cracking attacks is to use the accounts for BOPIS purchases. Gift cards tend to be harder to protect than actual accounts. BOPIS allows cybercriminals or their surrogates to pick up loot immediately and with minimal scrutiny. There is no shipping address to check against for physical goods or delivery addresses to match in fraud detection algorithms for perishable items like restaurant food. In the current pandemic environment where delivery services have soared in popularity, there is an even greater chance the person picking up the order is not the person who actually made the purchase. This lack of certainty makes it even harder for stores to verify that someone picking up an order is not a fraudster. For food delivery apps in particular, which are all natively mobile, mobile app security to prevent BOPIS is paramount.

Growing Limited Edition and Flash Sales Create More Bot Headaches for Retailers

App security isn’t only about preventing fraud or protecting APIs. It is also about making security seamless without compromising on a good user experience across all platforms. In some cases, like with Flash Sales, app security can actually provide a better user-experience to your shoppers. Once a distinct strategy of hip e-tailers like Supreme or sneaker companies like Nike and Adidas, limited edition sales are now used by almost every major brand, from Williams & Sonoma for cooking gear, to Gap for classic jeans to Target for housewares. They’ve become so common that Gartner covered a recent limited edition sale by Adidas of Chewbacca themed sneakers. Flash sales, which last for brief periods, generate a sense of urgency designed to drive online sales in a hurry. Retailers dangle limited edition items as bait to lure in new customers and reward existing ones. Flash sales are also used as a premium for particularly loyal customers and inject fun and create Fear Of Missing Out (FOMO). These sales types create big opportunities for bot operators seeking to buy limited edition or discounted goods for later resale. In the last year we saw tremendous growth of limited edition sales, both in number of sales and the number of retailers adopting these marketing programs. Automated bots can flood a sales queue right when a limited release is dropped or right when flash sales kick-off. This flood can frustrate attempts by legitimate customers that are not using technology to make purchases. Bots jumping the human queue leads to unhappy customers and harms brand value. More advanced retailers already have anti-bot strategies to block denial of inventory and scalping bot attacks against limited edition sales. As we expect limited edition sales to continue growing in popularity and use, we predict that advanced strategies and tools to help secure the experience of such sales will become mandatory for most retailers.

DevSecOps Goes Mainstream

With a growing percentage of code running on client-side applications coming from third-party JavaScript libraries or services, we see an increase in “Shadow Code.” When looking at front end JavaScript code, Shadow Code is code that is introduced into an application without a formal approval process or security validation. Shadow Code often takes the form of third-party vendors or open source libraries delivering specific functionalities into an application. Shadow Code can also include first-party code introduced by a rogue or compromised developer, or unauthorized code injected into the application through a vulnerability or security breach. Because it was not appropriately reviewed or might have been compromised or modified since code review (which is commonly the case with 3rd party vendors), Shadow Code may harbor malicious client-side code that alters application behavior to illegally gather and exfiltrate PII from websites. The malicious code may escape further scrutiny since it executes on the client side.

Cybercriminals love Shadow Code exploits because hacking a commonly used library or service can place the malicious code on hundreds or thousands of websites. For example, the widely used jQuery JavaScript library has been breached multiple times, leading to digital skimming attacks broadly across the e-commerce sector. Adding jQuery to an application without appropriate security review to ascertain whether there was an outstanding vulnerability on that version of the library is a classic Shadow Code failing. Typosquatting is another favorite broad use case where hackers create malicious third-party scripts with names very similar to legitimate services for payments or chatbots, to name two examples, to trick developers into adding this code, or to reduce suspicion when this code sends stolen data to these domains. The malicious scripts then execute hard-to-detect skimming attacks against application users, often evading detection for months.

Shadow Code can mean tampering either with first-party scripts or leveraging compromised third-party scripts to make unauthorized changes to application behavior. Many Magecart or other types of digital skimming or PII harvesting attacks exploit Shadow Code to harvest sensitive information and harm data security. In one eye-opening example, during the software development process, one of the world’s largest banks added third-party code pulled from the Internet Archive into the code base of a live, customer-facing web application. Obviously, this created a major security vulnerability because hackers could have exploited vulnerabilities in this older version of the script, or altered it to gain access to personal data on the banking application. This shows the ease in which a developer can introduce malicious code (intentionally or unintentionally) into a highly secured application, bypassing all the controls the company had in place. In other instances, malicious hackers have been able to modify first-party scripts to insert skimmers or keyloggers and capture information from users that is then exfiltrated in a client-side data breach and sold off or used for subsequent attacks.

In a quick survey of financial services companies, to name one industry, we saw an average of 10 first-party scripts and 14 third-party scripts running. None were running Content Security Policy (CSP), the easiest way to prevent client-side code from taking unauthorized actions at runtime. Such a large number of scripts present a rich attack surface. Usually, client-side data breaches are detected after many thousands of users have had their data skimmed and exfiltrated--and ultimately sold on the Dark Web. Because of this trend, more and more companies realize that they need to build application security into the entire lifecycle from development to runtime. We talked about DevSecOps this year and explained how it works. We believe we will see more security and development teams adopt DevSecOps practices in 2021. Alongside this trend, security teams will add new cybersecurity tools to test third-party code and libraries not only as part of their normal code deployment pipeline but also as part of the run-time of the application to account for the fact that application components may be modified or tampered with outside of the regular dev-cycle.

Conclusion: Leaning Forward in 2021

This year, our predictions focus on less-known trends such as GraphQL API attacks, BOPIS fraud and Shadow Code risks. We see all of this in our own practice, which, as our research and customer base each grow broader, provides a better view of the future with each passing month. As strange as it sounds, we believe 2021 will bring as many or even more disruptive changes as last year. For that reason, trends we saw as a little outside the radar are now moving more quickly into the mainstream. A critical underlying trend — digital transformation — will further accelerate our predictions. Web applications and hybrid web applications are rapidly replacing desktop applications. This will mean that every operator will need to double down on basic security solutions such as automated security testing, penetration testing and preventing OWASP attacks. Beyond the obvious, these trends highlight even more the need for innovative and forward-leaning application security technologies that use AI and machine learning to look at behaviors rather than signatures, at scale, as every business increasingly becomes a web-facing, application-driven digital business.

To dive deeper into these predictions and explore your questions, please join me for a live webinar on Thursday, December 10.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.