The average total cost of a data breach sits at just under $4 million, according to 2020 data from IBM. Of the incidents collected in the report, it takes the average organization 280 days to identify and contain the effects of a cyber attack.
Couple those statistics with headline-grabbing cyber incidents, such as the Colonial pipeline ransomware attack, and it’s easy to see why cyber security has never been more critical to business, especially at the app development level.
This article will cover everything about cyber security that Shopify app developers need to know. We’ll go over major areas covered in cyber security best practices, as well as other cyber security facts that can help secure your Shopify app and, as a result, build merchant trust.
Build apps for Shopify merchants
Whether you want to build apps for the Shopify App Store, offer custom app development services, or are looking for ways to grow your user base, the Shopify Partner Program will set you up for success. Join for free and access educational resources, developer preview environments, and recurring revenue share opportunities.Sign up
What do you need to know for cyber security success?
For anyone building or optimizing an app for the Shopify App Store, it’s critical to get a well-rounded answer to this common question: What is cyber security all about?
Perhaps more specifically: What areas of computer security are the most vital when constructing sound, secure code?
Before delving into specific cyber security threats, it’s equally important to have a firm understanding of what cyber security entails and what can motivate cybercriminals to commit malicious acts.
What is cyber security?
Cyber security encompasses all the technical and procedural safeguards to keep devices, computer systems, and sensitive information safe.
With a growing emphasis on data privacy and regulatory compliance, cyber security best practices have become a central focal point for ecommerce and retail businesses.
Causes of cyber security data breaches
From ransomware and malware attacks to credential theft and other social engineering tactics, data breaches can be linked to a variety of motives.
Most often, cyber attacks are executed because hackers may be after:
- Financial details (account info, credit card info, etc.)
- Sensitive personal information (dates of birth, addresses, etc.)
- Email addresses and other login credentials
- Databases and client lists
- IT infrastructure
- IT services (such as the ability to accept online payments)
- Intellectual property (product designs, confidential development info, etc.)
Cyber criminals target apps and their structural vulnerabilities to extract sensitive information and suit the purpose at the heart of their operation. Underlying motives can include:
- “Hacktivism” that makes a social or political statement
- Corporate espionage, often for competitive gain within an industry
- Intellectual challenges and other ethical hacking operations
Regardless of the data targeted or the reasoning behind an attack, succumbing to a cyber threat can often be detrimental to an organization’s reputation, sometimes even more so than their bottom line. If you’re the subject of a headline-grabbing data breach, it can take years to rebuild public trust in your brand.
Why cyber security is required
By 2023, the big data industry’s value will hit $77 billion. Despite this, most organizations are only analyzing about 12 percent of the data at their disposal. So, with so much money at stake and massive amounts of data that remain untapped by the vast majority of merchants out there, protecting this increasingly valuable asset is fundamental to building a thriving business.
Cyber security isn’t only about keeping your account password safe either. It underpins everything that touches the global digital economy, from infrastructure to network to connected systems relied on by developers and end users alike. And, in most countries, data privacy laws and legislation are raising the bar for securing sensitive information and assets.
"As a developer or business, it’s an obligation to adhere to recognized best practices in cyber security."
In short, it’s no longer an option. As a developer or business, it’s an obligation to adhere to recognized best practices in cyber security.
You might also like: What App Developers Need to Know About GDPR.
10 cyber security threats you should know about
To keep your app’s security measures up to date and as strong as possible, it’s essential to know which cyber threats currently pose the biggest threat to app developers. This level of understanding can help app builders anticipate and guard against common tactics employed by hackers.
For more information on each of the threats detailed in this section, we recommend checking out OWASP’s dedicated webpage.
A code injection occurs when untrustworthy data is sent to an app with the intention of executing unintended and possibly dangerous commands. This hostile data can also allow an attacker unauthorized access to sensitive information.
Preventative measures for code injection will vary depending on the technology you’re using to run your app and business. If you’re regularly working with out-of-the-box software or a SaaS, minimizing this vulnerability may be limited to reducing the number of plugins, themes, or external add-ons you have installed.
However, if you’re developing your application or any of its components from the ground up, you’ll need to be aware of specific security requirements when structuring and writing the app itself. These can include selecting safe APIs, using positive input validation, and researching safe usage patterns for your given technologies. Avoid making system calls whenever possible. If you must, then do not allow user input to make it into these system calls.
2. Broken authentication
Broken authentication can allow cybercriminals to control an account and, by using it as an in point, potentially compromise an entire network or computer system. This type of vulnerability can arise due to logic issues within an app’s implementation of authentication protocols or via unauthorized access tactics like credential theft.
To prevent broken authentication incidents from cropping up, developers must ensure they’re adhering to the latest website security best practices. This includes proper code testing before deployment, enabling multi-factor authentication, and implementing weak password checks for admins.
3. Sensitive data exposure
Because many existing applications, APIs, websites, and other digital entities don’t adequately protect sensitive data, cybercriminals can easily steal or modify this information. They then use the data to commit malicious acts, like credit card fraud and identity theft.
Sensitive data that must be well-protected includes:
- Credit card numbers
- Social Security Numbers
- Medical information
- Personally identifiable information (PII), like your address
Having the proper protections in place has become a significant merchant and consumer concern, especially with the advent of new data privacy regulations like GDPR. One such method is having an SSL certificate, which encrypts data transmitted between the host server and the client.
4. XML external entities (XXE)
This cyber threat targets older or poorly configured XML parsers, enabling external entities to obtain and disclose internal files. Additionally, these entities can also execute internal port scanning and remote code, as well as carry out denial of service attacks.
Preventing this attack means developers should, whenever possible, structure data in less complex formats, like JSON, and upgrade all XML processors and libraries used by the application. Positive input validation and filtering can also help avoid hostile data infiltration.
5. Broken access control
When access controls are broken, users may be able to access pages, features, or other functionality that’s generally out of their reach. If this happens, ordinary users may gain unauthorized access to an administrative panel, database, or server and either view or compromise sensitive files and other information.
To avoid broken access control issues, developers are encouraged to implement strong access controls, especially around individual user accounts or credentials, rate limit API and controller permissions, and log all control failures. Where appropriate, admins should be alerted too.
6. Security misconfigurations
This term refers to the host of variables that may increase a cybercriminal’s chances of executing a successful cyber-attack. These include (but are not limited to):
- Default tool or website configurations
- Unpatched system flaws
- Unprotected pages, files, and directories
- Unnecessary pages or services
Preventing security misconfigurations should be kept top of mind throughout the development process. To ensure this, development, QA, and production environments should have identical configurations to minimize setup and translation flaws. Segmenting app architecture can automate how you verify the security of various settings are also best practices.
7. Cross site scripting (XSS)
XSS attacks consist of using scripts injected into client-facing websites to execute malicious code. XSS vulnerabilities typically require user interaction to trigger the sequence, often through social engineering techniques. If unpatched, these threats can go undetected for long periods.
To avoid this scenario, use frameworks that escape XSS automatically and sanitize or escape untrustworthy HTTP request data through context-sensitive encoding. For in-depth technical explanations of XSS prevention methods, consult OWASP’s cheat sheet.
8. Insecure deserialization
The process of deserialization, meaning the conversions of byte strings into objects (otherwise known as ways to structure data), can impact everything that interacts with your application, including URLs. When this occurrence isn’t secured, it can lead to remote code execution, injections, and other types of attacks.
For these reasons, developers must never accept serialized objects from untrustworthy sources. Enforcing type constraints before object creation and executing integrity checks can help prevent data tampering that can stem from the attacks mentioned above.
9. Using components with known vulnerabilities
Apps, websites, and other digital assets can leave sensitive information vulnerable when regular software updates aren’t performed. Whether it’s a lack of backward compatibility with newer apps or operating systems or fear of breaking an existing structure, you must avoid this scenario at all costs.
Ensure all your dependencies aren’t presenting you or your clients with any security threats. You can monitor changes in vulnerability levels using tools like Common Vulnerabilities and Disclosures (CVE) and National Vulnerability Database (NVD). If needed, remove unnecessary dependencies from your inventory.
10. Insufficient logging and monitoring
An insufficient logging or monitoring system can lead to increased damage stemming from a data breach. If threats or attacks aren’t detected, taking the right action in time can be an insurmountable task.
For widely adopted server monitoring, OSSEC is a world-renowned free tool that covers all aspects of system activity, including both file integrity and log monitoring, root check, and process monitoring. It’s highly recommended that you invest in additional website security measures to stay on top of any suspicious activity on your app or website.
How to learn more about cyber security
For additional resources that will enable you to learn everything you need to know about cyber security, including cyber security must-haves for your app development process, here’s a starter pack of some of our favorites:
- The Basics of Web Application Security
- Google’s Web Fundamentals for Security and Identity
- OWASP’s Web Security Testing Guide (and, really, their entire site)
- Writing Secure Code, by Michael Howard and David LeBlanc
- 24 Deadly Sins of Software Security, also by Howard and LeBlanc, along with John Viega
For cyber security-related news updates, blogs like CSO Online, Dark Reading, Naked Security, Krebs on Security, and more are great resources, as is the FBI’s webpage on cybercrime.
You might also like: Website Security: 13 Ways to Improve Front End Security and Not Get Hacked.
Questions to ask a cyber security expert
Sometimes, your cyber security questions or issues may require a more detailed response than is possible to find through a simple online search. Contacting local IT technicians, cyber security firms, or local law enforcement in your area may be the best way to quickly and seamlessly get relevant information on a particular cyber threat or topic.
Cyber security: a major app development priority
As the world hurtles down a path of increased digital transformation, understanding what your development team needs to know about cyber security best practices and how to best execute them is a vital ingredient for long-term success. Beyond keeping administrative and client data safe, it will position your app for continued growth in the global marketplace.
This blog post covered a lot of essential cyber security information, but, to be consistently effective over the long haul, you must also keep up to date on major cyber threats and related developments. Knowledge is power and, the more you have at your disposal, the more secure your sensitive data will remain.
What steps do you take to keep your apps and data safe? Let us know in the comments below.