Fenny Kuo, software and cyber security specialist at Galaxy Software Services (GSS) shares her insight into what is happening in Taiwan and further afield in the area of eCommerce, crime and rapid digital transformation. Among the many global impacts of COVID-19 one very noticeable effect was on the way we buy on the Street - particularly in small and medium-sized businesses. Many brands here in Asia from Grocery stores, Supermarkets, Clothes stores, to retailers and restaurants were forced to close their doors to prevent the virus from spreading. And that has led to a huge jump in the field of eCommerce. This is something we have seen not just in Asia and Taiwan but across the entire world. With many brands hoping to continue serving their loyal customers and reduce their financial losses, businesses rapidly launched online stores and took their first steps into the competitive and fast-paced world of digital sales. Suddenly you could find local Taiwanese brands competing against big Amazon-like websites. At the same time, businesses that had already adopted online channels found they needed to quickly improve their offering to meet even more customers, new customers, and increased demand. In the past year we have experienced many requests from eCommerce retailers new and old for advice on how to deliver software quickly and securely. We found that every business launching or expanding an eCommerce application faces three key challenges as they aim to protect and restore valuable revenues:

1. Meeting high customer expectations from experienced and new users

Online customers have high expectations of digital shopping that have been shaped by giants such as Alibaba, Amazon, Shopee, Momo, and PChome. This means eCommerce applications must be sophisticated, personalized, and reliable to earn their place on the buyer radar. However, businesses cannot afford to overlook the arrival of less sophisticated customers that have entered the digital shopping mall since the start of the pandemic. These are the customers who did their shopping in person until a year ago, in the stores that are now trying to attempt them to engage online. Research by Google, Temasek Holdings Pts, and Bain & Co predicts a 63% increase in e-commerce gross merchandise value in Southeast Asia, with online shopping forecast to reach $172billion by 2025 versus a previous $153 billion estimate. According to the research, 40 million new users accessed the internet in 2020 and one in three digital service users came online for the first time because of COVID-19. For these new customers, applications need to be easy to use, familiar and trustworthy, replicating the customer’s offline relationship with the brand.

2. Protect against security threats

eCommerce applications are under constant threat from cybercriminals due to the valuable personal and financial data they collect, and this has significantly escalated during the pandemic. The 2020 Verizon Data Breach Incident Report found that “attacks against eCommerce applications are by far the leading cause of breaches in this [retail] industry. As organisations continue to move their primary operations to the web, the criminals migrate along with them.” The research also found that breaches caused by attacks on web application vulnerabilities now exceed those caused by point-of-sale attacks. Security researchers Barracuda Networks detected millions of bad bots attacking eCommerce websites in India, while a different study by the same organization found that 51% of organisations in Asia-Pacific have suffered at least one cybersecurity incident since the start of the pandemic. It is obvious that the flood of new and naïve customers together with rising transaction volumes are proving an attractive target for hackers who are exploiting application vulnerabilities to break into systems and exfiltrate data. Aside from the risk of customer data compromise, any downtime caused by a malicious attack means a direct loss of revenue for the retailer, something they can’t afford in the current climate.

3. Regulatory and reputational risk

Security failings expose businesses to regulatory risk in the event that customer data is stolen as a result. Here in Taiwan the Cyber Security Management office is now a requesting all eCommerce companies to protect customer information by reviewing and looking for vulnerabilities. The same process is now happening on a global scale. The EU GDPR, CCPA in the US, and other regional privacy laws mean ensuring that eCommerce applications are secure should be a priority.

Rapid deployment schedules put pressure on application security

Nevertheless, a factor that can often weaken application security is the high frequency of software releases that this sector demands. In order to deliver competitive new features and customer offers, software is often being released to production multiple times per day. It goes back to those customer expectations – everyone is being judged on the same basis as the world’s largest retailers, but few have the developer and security resources to match them. This causes tension for developers who are under pressure to push code to production. They can find that running full security scans takes time they do not have, delaying production releases, and potentially having a negative impact on revenues. The temptation to release code without completing full scans is very real. In fact, recent research by ESG found that 79% of respondents have pushed code to production with known organic vulnerabilities. In a high-threat, highly regulated environment this introduces an unacceptable level of business risk.

Resolving the tension of security vs. speed

The challenge for developer teams is how to maintain momentum and utilize an agile software development approach integrating open source and proprietary code, without accruing security risk debt that causes bottlenecks as the production deadline looms. The solution is to automate application security testing (AST) throughout the Software Development Life Cycle. By deploying integrated code-scanning solutions that completely automate scans directly from Source Code Management (SCM) solutions, CI/CD tools, and Integrated Development Environments (IDEs) developers can increase efficiency, improve security, and measurably reduce delays. Upon pull, push, merge requests, etc., these events can automatically trigger incremental Static Code Analysis (SAST) and Software Composition Analysis (SCA) scans at key points in the developer workflow. As a result, code vulnerabilities can be identified and corrected at an earlier stage of the development process within the branch of code developers are currently working on. This is particularly valuable for retailers who are early in their eCommerce journey because it establishes a security by design, from the start, to be ensuring that the business adopts a mindset where security is intrinsic, not an afterthought. For our customers, it means they can continue to put their trust in the high street brands they know and love, confident that their personal information is protected.

About GSS:

GSS has been a loyal and trusted partner of Checkmarx for over 5 years. https://www.gss.com.tw/checkmarx Galaxy Software Services Corporation (GSS), one of the leading business application software and consulting service providers in Taiwan, specializes in system integration of business applications, business-specific software development and business process and technical consulting services. Founded in 1987, GSS is a leading SaaS/Cloud Computing service provider in the East Asian region. Through state of-the-art information technology, sophisticated software engineering and superior framework design, GSS has been developing effective e-process and innovative applications that satisfy the business needs of over 2,000 customers in different industry sectors, including government, finance, telecommunications, manufacturing, logistics, hospitals, and schools.

About the Author: Fenny Kuo

https://www.linkedin.com/in/fenny-kuo-03461972/?originalSubdomain=tw Fenny has more than 10 years of information security experience in Taiwan. She is mainly responsible for security program development training, application security configuration & design and vulnerability fix. Meanwhile, Fenny with her rich knowledge and experience, has already assisted dozens of enterprises to implement solutions, design and adjust corporate institutions.