Skip to main content
Seasonal marketing websites are long term security risks if not properly inventoried!
December 12, 2016

Holiday Short-Duration Sites Deliver Long-Duration Headaches

The holiday season is now upon us, which means retail pop-up stores and seasonal sites. Those are all good for merchants, good for gift-seeking shoppers and potentially very good news for cyberthieves hoping for vulnerable sites that can fuel fraud.

Why, you might ask, would a retailer with robust anti-fraud and other security measures forego those efforts for a seasonal site? First, they do and the reasons are many. These short-duration sites are also outsourced to a group that can create them quickly, without overly distracting the core team during the busiest time of the year. It's not unusual for the site itself to be created on a cloud server somewhere, so that even more of the IT governance rules (including security apparatus) can be ignored.

And even when they done in-house, the time devoted to such short-duration sites is typically a minute fraction of the time to create the permanent web pages. Shorter timeframes means a lot of corner cutting—and that means less testing and certainly less robust testing.

This often gets even worse. Once the holidays are over, teams are reassigned and contractors move on to something else. The site will get ignored. Sure, no new content is being poured in, but it’s common for companies to forget to disconnect it from the shutdown and kill—or at least make dormant—the site. You may no longer link to it, but it’s still there. What a golden opportunity for cyberthieves to take their time and to literally get cracking. Why not? No one is watching and the site is still connected, one way or the other, to the heart of your network. Yes, that can mean a site with old, unpatched and unmaintained code is out there, unmonitored yet tethered to your company.

As you can imagine, these shortcuts don't impact retailers universally. There are essentially two kinds of merchants: big and small. In the big category, sites spun out by the likes of Macy’s, Walmart, Target and Home Depot have fairly robust app security mechanisms and they are good about not bypassing protocols for even the smallest short-duration site.

But when you drop a level—to the place where 99.9 percent of merchants live—the scenario changes dramatically. That’s indeed where you are going to see app security neglected—to their own peril.

In this year's State of Software Security report, for example, we see that retailers failed their OWASP policy compliance pass rates for first-time scans 62 percent of the time. On the plus side, retail has shown a better-than-average ability to fix security holes once they find them. But the 62 percent stat flags how many problems they start with. If testing and remediation are not priorities—you need to shoot anyone who says "The site will only be up for five weeks so why bother?"—you're going to have a lot of problems.

This is particularly problematic for multiple reasons. A high percentage of holiday shoppers are going to not be your regular shoppers. They may be buying a gift for a new person on their shopping list (a new sister-in-law perhaps?) and going to a site they never had a reason to visit before. That's great, if your goal is to expand your customer base. That's less than great if you need to subject them to additional security hurdles. More hurdles translate into a weaker experience.

These customers are going to entrust your site with their card numbers or other payment credentials. If something bad happens, those shoppers won't plan your pop-up site for the holidays. They will blame the core brand, which is what attracted them in the first place.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.