One global retailer had over 9,000 websites globally, and the central security team was unaware of more than a third of them.

The eggnog carton is empty, the cookies have been baked, and the gifts are tidily wrapped under the tree. For shoppers, the Christmas shopping season is just about over—but the trouble has just begun for retailers.

Cyber Monday and Black Friday means internet retailers create numerous temporary websites to host pages touting special discounts for “today only” and offering an “extra 20 percent off” by clicking on a specific link. But what happens when the holiday sales are over? Often, these temporary websites are forgotten entirely, leaving them vulnerable to cybercriminals.

With every software application comes a tension between going to market quickly so that the application can begin making money and ensuring that the application is safe from hackers. This puts applications at risk, especially those like temporary holiday websites that are built to be temporary. After all, companies might ask why they need to make a big investment in security when these websites will only be live for five or six weeks.

The result is companies that simply don’t know if or where the risk is. The creation of pop-up sites is often outsourced, so they can be created quickly and without distracting the core team during this busy time of year. Further, it’s not unusual for the site itself to be created on a cloud server so that even more IT governance rules—including security—can be ignored. What’s more, teams are often reassigned after the holidays are over and these websites end up being forgotten entirely.

In one global retailer studied by Veracode, the organization turned out to have over 9,000 websites globally, of which the central security team was unaware of more than a third. Even though the company is not actively promoting or linking to these applications, the page is still there and it’s becoming more insecure by the day. After all—software ages more like eggnog than it does mulled wine.


The underlying issue with these pop-up holiday websites can be teased out through the answers to three questions:

  1. Has the website been checked for vulnerabilities?
  2. Do retailers remember the website exists?
  3. What other systems or applications is this website talking to?

It’s true that some of the biggest name-brand retailers have robust security programs in place and protocols to protect against attacks to pop-up websites. But for the majority of retail businesses the security of these websites becomes a problem.

In this year’s State of Software Security report from Veracode, we saw that retailers failed their OWASP policy compliance pass rates for first-time scans 62 percent of the time. [The Open Web Application Security Project is a nonprofit application security organization.] That said, retail has shown an above-average ability to fix security holes once they find them—but that means nothing when temporary sites are never even checked.

Another issue with these temporary sites is what other systems or applications the website might be talking to or have access to. An application is not an island. At a minimum, an application lives inside a network, and an attacker can start on that application’s machine and then attack other machines in the network. Increasingly, applications are sharing a higher level of resources too. The same application might be talking to another database that is talking to lots of other databases in the corporate data center.


In one 2014 example, hackers gained access into J.P. Morgan’s network through the breach of a nearly defunct, temporary website that hosted information about a charity race the company was sponsoring. The same hackers were able to penetrate JPMorgan’s central network. Even an organization with access to the best security technologies couldn’t protect sensitive assets because a neglected temporary site provided the keys to the kingdom.

Ultimately, neglected and temporary sites can lead to breach with a long-term impact. But important to note is that whether the application had security measures in place to begin with or was simply neglected after the fact, consumers will not blame a pop-up site if their sensitive information is compromised. It’s the core brand that will suffer.

Veracode specializes in application security testing.