Opening your platforms to such a large number of third parties will, of course, introduce more risk to your organization – especially in the context of privacy laws like GDPR from the European Union and CCPA out of California. With privacy being the main focus these days, security teams need to properly evaluate the security post of any third-party integrator before giving them access to customer data. On the flip side, integrators understand that they need proper security controls in place if they want to succeed in such a climate. In addition to making sure third-party platforms are secure, you should also make sure your own platforms are as well. Whether it’s the web interface or the mobile app, security has to be built into the customer experience to ensure that the public-facing risk is mitigated.
While Magecart is a rudimentary tactic, it’s a perfect example of how malicious actors can exploit the assumption consumers have that their experience is secure. This is why they are willing to share so much personal data with healthcare systems, financial institutions, and government bodies over the web.
Balancing security and end-user experience has always been tricky. It’s not so much about locking down what they display, but more about visibility into the potential risk of what’s built. This applies to any web platform, whether it’s accessed through the web or mobile devices, to ensure a safe but enjoyable experience for the user.
Proactive efforts to secure the customer experience on mobile and web as well as comprehensive evaluations of third-party vendors are basic actions organizations should be taking to protect customer data. In addition, in-depth evaluations of guidelines and compliance parameters of GDPR and CCPA should be conducted. This will make sure your security teams understand the risks involved and give the platform developers a better context of why security needs to be part of the build and maintenance processes.
Unfortunately, these findings do not come as much of a surprise. With some estimates suggesting up to 90 percent of an application can consist of third party components, many of which are open-source. This is not an issue that can be fixed easily or quickly without an overhaul in the way applications are developed wholesale. Back in 2016, we saw how one programmer briefly broke the internet by deleting 11 lines of code. Therefore, organisations should consider putting in place tools and procedures that can help them identify and fix any security issues that may be present. This means organisations need to consider all aspects of security through their physical and software supply chain, identifying where vulnerabilities are, and applying the appropriate countermeasures where necessary.