Why application security will be critical on Cyber Monday

While Black Friday and Cyber Monday began as a primarily American phenomenon, this shopping weekend is equally famous now in Europe, the UK, Australia, and many other countries. Friday, Saturday, Sunday, and Monday are just four days of the holiday shopping season, and while that is short compared to all the days in a year, it’s safe to say they are the most important four days each year for the global digital economy.

How strong is the urge to shop? Even way back in 2008, thousands of shoppers in Valley Stream, New York, waited at 4 a.m. in the bitter cold outside Wal-Mart for the doors to open.  Eventually the crowd couldn't wait any longer, broke down the doors, trampled an employee underfoot, didn’t' stop but just kept rushing forward to buy, buy, buy!

But this year, retailers better make sure their cybersecurity is top-notch because instead of crowds breaking down the door to do in-store shopping, it's safe to assume that shoppers will be making a mad rush to e-commerce sites and flash sales instead. Having your site hacked or having bots hoard your inventory or deny service is the literally the last thing any retailer wants this year.

How big will the four days culminating in Cyber Monday be this year? It will be interesting to see.

If previous years are any indicator: huge! In 2019, even with no restrictions on in-person shopping, over $9 billion was spent online on Cyber Monday alone, and a whopping $81 billion was spent online between Nov. 1 and Dec. 2. Factor in lockdowns, and Adobe estimates this number will go up by 33% for 2020.

Preparing for an onslaught of attacks

The flip side to that is the question of how severe the hacks and digital threats will be this year. What should retailers expect? Nobody knows, but if previous years are any indicator, e-commerce teams should be prepared for the worst.

For e-commerce, protecting against the OWASP Top 10 Risks is, as always, the essential minimum baseline level of protection. For most retailers, the simplest way to ensure this is to deploy a web application firewall (WAF) from a trusted vendor.

Web application firewalls have protected countless billions of e-commerce transactions for the past 10 years and remain the most stable, trusted, and widely deployed method to block the OWASP Top 10 before the attacks reach your servers.

A WAF can be deployed like a proxy firewall or like a content delivery network (CDN), and it protects the e-commerce site without creating a lot of work for the application teams.

The problem with bots

So, with a WAF taking care of the OWASP Top 10 headaches, there remains a more insidious threat afoot this year: Bots! Automated, scripted, and sophisticated, bots are a category unto themselves when it comes to e-commerce. They’re not new, but it’s a safe bet they will be a bigger problem this year than ever before.

According to Gartner: "The main types of bot attacks include distributed denial of service (DDoS), fraudulent purchases, web scraping, and vulnerability scans and exploits."

What are bots all about? Rather than hacking databases, bots focus on hammering e-commerce sites with realistic traffic, slowing sites to a crawl or breaking the site altogether.  This is known as denial of service. Bots don't stop there. Among their nefarious behaviors, bots will go to e-commerce sites and automate clicks, adding all available inventory to bot shopping carts, leaving nothing for the real customers.

A nasty side-effect of bots is they act as a huge disruption for your marketing data, making it difficult to determine what is real traffic and what is fake. Another problem bots can create for the CFO is scanning product price data so a dishonest competitor can always be cheaper. Bots keep e-commerce teams fighting fires instead of focusing on optimizing the shopping experience.

So, not only must retailers block the OWASP Top 10, but they also must block the bots as well. In fact, OWASP have an ontology of automated threats (OAT) that classifies the different types of attacks bad bots make against web applications. This means having not only a trusted web application firewall in place, but also anti-bot protection that can protect against these new classes of threats as well.

How Barracuda can help

Fortunately, Barracuda offers not only one of the most trusted, and best-supported WAFs available today but also best-in-class anti-bot protection, which can be deployed with very little work as a licensed add-on. Using machine learning, Barracuda Advanced Protection is proven to keep those pesky bots off your back.

With Advanced Bot Protection, Barracuda WAF gains a host of new tricks including:

• Bot spam detection — Reduce referrer spam and block comment spam


• Credential stuffing prevention — Stop account takeover attacks (ATO)


• Request risk scoring — Use advanced behavioral analytics to detect attackers


• Client finger printing — Track users with better fidelity than IP addresses


• Dedicated bot mitigation UI — Make it easy to configure bot mitigation features


• Form spam prevention – Stop automated form filling by analysis of how a form is used

Barracuda Web Application Firewall and Advanced Bot Protection are available on any platform, including public and private cloud, physical form-factors, and even as-a-Service.

Best of all, the same WAF engine powers all platforms, so e-commerce teams can deploy in any environment knowing they are protected by the trusted name of Barracuda Networks.

To get started, retailers should head over to  https://www.barracuda.com/products/webapplicationfirewall for a 30-day free trial, which includes the Advanced Bot Protection retailers need to put their safest foot forward this holiday shopping season.

Here’s from all of us at Barracuda wishing all the hard-working e-commerce teams out there a safe, profitable, and above all bot-free digital selling season!

Block Malicious Bots and Automated Attacks