Web security is rapidly increasing in importance for online retailers. Even if your site is never compromised, concerns about security might give visitors reasons not to purchase.
Alan: Hi Ken! For folks not familiar with ScanAlert, can you give us a thumbnail of what you do?
Ken: We help make websites secure against hackers, and we certify a site’s security to their customers. We provide two main services; validation to the PCI Data Security Standard (the credit card industry security standard) as well as our own “Hacker Safe” certification.
Our certification involves daily security audits. Sites which pass can show our Hacker Safe seal. The seal is dynamically generated and only appears when a site passes its daily scan.
We began in 2001 with the idea of making online retailing more secure, and giving merchants a way to promote security so their customers would feel comfortable buying from them. From four founders, we’ve self-funded our growth to where we have three offices and 125 employees.
Today we’re scanning more than 80,000 websites in 75 countries. Our focus is online retail, and we serve the majority of the IR500.
A: What are the origins of the firm?
K: I was the founder in the mid-1990s of the first retail domain registration company called TABNet. We quickly evolved into hosting websites, and actually hosted the United States Marine Corps website when they first went online. We registered a lot of domains and became the world’s largest web host with over 150,000 customers in under two years. It was very exciting. It didn’t take too long to perceive the importance of security and trust in online transactions and retailing, in particular. In two years, we built TABNet up to 200 employees and were then acquired by Verio.
I returned to the entrepreneurial waters again and was involved in a number of Internet startups. The marketing opportunity for security always remained evident to me. In the fall of 2001, I started developing a plan to provide services that could meet the specific security needs of online retailers.
There was no way for consumers to know which sites were safer than others. Even if you were diligent with security, consumers had no way to differentiate your site from a competitor who was lax about security. You could have the best security in the world, but if prospects didn’t feel comfortable with you, they wouldn’t translate into customers. This was the opportunity that we’ve pursued.
A: I’m a tech geek. Can you go into more engineering detail about the various scans you run, how often, and what you are looking for, and so on?
K: We have a three phase scanning process designed to find weaknesses in a website or network that would allow hackers to gain access.
For Hacker Safe customers, we run scans randomly once every 24 hours. For PCI customers we scan every 90 days.
The first phase is an interactive port scan of the target network. Finding open ports on an IP address is the crucial first step in an audit. Most scanning solutions rely on Nmap; we do more, using our own advanced port scanning which handles all targets from desktop PCs to firewalls to IDS and IPS systems.
The second phase is a network services vulnerability scan. Here we interrogate each service running on every port. We want to determine what software is running and its configuration. We compare this information against our knowledge base of vulnerabilities. We then launch additional application specific and generic tests of each available service. Our tests are based on our database of over 10,000 vulnerabilities, which we’re continually updating.
Web application testing is the third phase. I’d say this is probably the most important. We check all HTTP servers for potentially dangerous modules, configuration settings, CGIs and other scripts, and default install files. We “deep crawl” the web apps, including flash links and password protected pages. We’re looking for forms and such to test for vulnerabilities like code revelation, cross-site scripting, buffer-overflow, and SQL injection.
There’s a lot of technology behind the scenes. We’ve been working on these systems for over six years now. The three-phase approach lets us do thorough audits with low load on our customers’ servers. It also lets us to really localize our testing. For example, we can run single test phases to detect port changes, test specific ports or vulnerabilities, or run web app only tests on multiple sites on a single server.
We’ve been at this for six years, and to date we’ve run over 25 million site scans.
A: You mentioned application level exploits like SQL injection. Are there certain classes of vulnerabilities that your scans can’t see?
K: No, our scans are designed to detect all types of vulnerabilities.
A: What should retailers be doing about the threats you’ve described?
K: Web application vulnerabilities are the most commonly targeted security issues for retailers. SQL injection and cross site scripting are probably the two most pervasive examples, and we see them frequently. They’re also particularly important for companies seeking PCI DSS validation because the presence of either makes you fail the scan.
To avoid these app-level security holes, retailers need to be knowledgeable about web application security and conduct regular testing, both of test and production servers.
There are resources available to help online retailers with this. I’ll plug our own technical support and Labs groups, Hacker Safe Labs . Our team has discovered a number of new security holes and worked with vendors and the community on patches.
A: When you take on a new client, what are the odds they fail their initial scan?
K: Since we began in 2002, the percentage of customers failing the initial scan has been pretty constant at about 75%. And large enterprise sites are just as likely to fail as smaller sites.
A: Wow. Three out of four sites fail the first scan to some degree – that’s a sobering statistic. So most online retailers, unless they’re actively working on security, probably face vulnerabilities. What do they do next?
K: We collaborate with site owners, their web hosts and their consultants to help them fix the problems we find. Our support team averages over 14 years experience in the industry, and many have certifications like CISSP. We provide online tools and unlimited email and phone support to our customers. There’s usually a sense of urgency to close whatever holes we find.
A: What is your business model? How do you charge?
K: We operate on a subscription model, “software as a service.” All PCI accounts are sold on annual basis, customers can subscribe to Hacker Safe monthly or annually. Our pricing tiers basically map to site traffic and complexity. The busier the site and the more complex the infrastructure, the more we charge. We also provide a managed service for enterprise clients, more personal account management and regular penetration testing, for higher risk sites like casino hotels.
A: Can you name some clients?
Just a few of our domestic customers include: AIG, Armani Exchange, Blue Fly, Blue Nile, Callaway Golf, FTD, Foot Locker, GNC, Guess, Omni Hotels, Oriental Trading, PacSun, Petco, PetSmart, Prudential, Restoration Hardware, Sony Music, Sports Authority, Toshiba, and Warner Brothers.
Overseas, our foreign resellers have signed up some great accounts like Maplins (UK), Wehkamp and Otto (Holland), Pernambucanas, and Ponto Frio (both Brazil). While they aren’t well known to North Americans, these retailers are huge in their own countries.
A: Retailers say they worry putting a security badge on their site might harm conversion two ways – one, even mentioning the word “hacker” could introduce doubt in shoppers who had not been thinking security, and two, the hackers might see the badge as a challenge, and increase their efforts to harm the site. Thoughts?
K: Firstly, retailers should understand that they’re already a target for hackers. Hacking today is much more about financial gain, than satisfying intellectual curiosity. If you were a bank robber, which bank would you target? Bank A, which doesn’t have any security guards, has plate glass windows and leaves the door open on warm summer days? Or would you instead choose Bank B, which has armored guards on all exits, barred windows, and tellers behind bulletproof dividers? Retailers that use our service and take advantage of all the technical resources we provide are much harder to penetrate. There is so much low-hanging fruit available that it won’t take long to find a much easier target.
The second thing that retailers should understand is that thanks to ten years of unrelenting media coverage about hackers, consumers are extremely conscious about security and hackers. In 2006, IBM released a study stating that “70 percent only use Internet shopping sites that display a security protection seal.” This group represents tens of millions of consumers with concerns about security. They want reassurance, and if a site doesn’t deliver it, that person is going elsewhere.
The final and most important point to consider is this; if Hacker Safe seal was detrimental, if it decreased online sales, or if it negatively impacted IT department operations, would so many top brands across so many different industries and retailing segments in so many countries subscribe to it?
The opposite may be true. More than 800 of our customers have conducted A/B split tests in which half of the visitors saw the Hacker Safe seal, while the control group did not. Sites tracked the conversion rates from both groups. Across 150 million visitors and 3.5 million total purchases, the increase from having a Hacker Safe seal was slightly over 14%. In other words, these tests suggest the seal increases conversion. The conversion difference between one site and another usually tracks to issues like brand equity; large chain stores typically seeing a 4.0-9.5% difference, while smaller, less well-known sites can see up to 30% higher conversion. In other words, if you’re a smaller retailer with a 2% conversion rate, you’ll likely see a 2.3-2.5% rate by having the site Hacker Safe certified.
A: Those are hefty conversion increases. Do you have data on these?
K: Sure. Some of the media coverage (and the profiled customers) include: BtoB Magazine (Stuller), DM News (Stacks and Stacks), DIRECT, Ecommerce Times (JL Hufford Coffee), InformationWeek (CDConnection.com), Internet.com, Internet Marketing Report (4WD Hardware), Internet Retailer (American Musical Supply), Internet Retailer (Yankee Candle Co.), Internet Retailer (Shari’s Berries), Marketing Sherpa (PETCO), Multichannel Merchant (Stylin’ Concepts), SearchEngineWatch, SmallBusinessComputing.com , and STORES (Frederick’s of Hollywood).
And we have customer testimonials on our site.
A: You are starting to partner with the feed engines. Can you tell us about that?
K: PriceGrabber.com, Pronto.com and Yahoo! Shopping have each integrated the Hacker Safe seal into their comparison shopping listings. It is the first time since the advent of comparison shopping engines that consumers can evaluate merchants on more than just pricing and merchant ratings. We’re proud that our seal is the only trustmark to be integrated like this.
ScanAlert customers can participate in the Hacker Safe Feed for an additional charge. The feed is an easy, self-enrollment process accessed through our portal. We provide a pricing matrix that looks just like an advertising rate card. The Feed is sold as an annual, unlimited clicks package, with rates varying according to the retailer’s site traffic and the engines they want the seal to show up in. Every day, we send a white list to our shopping partners so the product searcher sees real-time security information. This is how the Hacker Safe seal integrates with PriceGrabber.com’s listings, for example.
The launches with our shopping partners only began last month, but the response from our existing customers has been fantastic. Adding Hacker Safe to their shopping listings is making them more money. The holiday retailing season is just getting started and they have a new way to stand out and close even more business. They love it.
A: Let’s return to web security in general. In your experience, how important should this issue be for online retailers?
K: Web security is critical. It can make life very difficult for retailers. If a breach happens to a small retailer, Visa and MasterCard will automatically re-categorize the company as a Level One merchant. Obtaining certification to this security standard is usually painful and expensive. Visa Asia Pacific required us to be certified to this level and I can tell you from experience that it is a very thorough process. There is a huge level of documentation and process mapping required. This is just one part of the liability hammer you’re going to get hit with.
Federal and state governments may get involved. Retailers will have to bear the cost of notifying their customers about the incident. California has led the way in terms of requiring businesses to notify customers in the state following a breach. The FTC may step in and conduct its own investigation. There is also the PR hit that companies take. It is obviously much less for smaller retailers that are completely unknown. For large retailers like TJMaxx, the cost was considerable. Finally, if a retailer isn’t currently validated to the PCI standard when the breach occurs, its acquiring bank can levy a very large fine.
Add all these up, and security should be one of the most important issues any retailer has.
A: And yet from monitoring buzz in the trades and at the shows, site security is usually a marginal issue.
From your experience, what fraction of online retailers are committing adequate resources and attention to security? Are security best practices common, or rare?
K: I don’t think very many companies devote enough resources and expertise to security. This statement covers all companies of all sizes and types; not just retailers. Most companies just want to sell more products and grow their bottom line. The problem, though, is that if you don’t grow as a secure enterprise, you’re going to a much larger company when the inevitable happens, and the price you pay may be much higher.
A: Are the online retailers with better security apt to be the smaller folks, or the larger companies?
K: Surprisingly, there isn’t any logical trending. In 2006, we closed a deal with a publicly-traded national retailer with well over 1,000 stores. One of the key reasons was because we showed them a SQL injection path straight through to their customer database. You would normally expect a company of this size, which has a full-time IT staff, to find issues like this but this is often something overlooked, especially in large complex websites.
In contrast to big companies, smaller retailers frequently don’t have anyone who even understands what SQL injections are. There are tens of thousands of retailers where the CEO, customer rep and order picker/packer are the same person. They have neither the technical knowledge nor the time to spend on security issues. And oftentimes, they think the web host is responsible for ensuring the site is secure. Our tech support staff spend a lot of time with these smaller companies, often conducting “security 101” sessions.
Large or small, however, our role isn’t to embarrass would-be customers or their staff. It is really to collaborate with companies so their systems are more secure than they were before they called us.
A: Suppose the CEO of a mid-sized online retailer asked you for a five minute summary of the web site security issue. What would you say?
K: I’d emphasize how absolutely critical security is to the continued growth of the company. The flip side – liabilities from fines and regulations are rising every year. I’d ensure that the CEO understood that he should take comments like “we’re completely secure” from the IT department with a grain of salt. In five years, we’ve just seen too many examples where we’ve been able to uncover serious security holes at companies that were absolutely convinced they were secure.
I’d also emphasize that while web applications enable sites and users to do interesting things, they have to be secured. There are many basic blocking and tackling tasks that companies should do. I’d, of course, recommend Hacker Safe because it delivers an ROI that is extremely difficult to obtain from other security services or website optimization or conversion tactics.
A: Many thanks, Ken, for so much of your time and sharing your insights with us today on the critically important (and often underappreciated) topic of web security.