Overview

As the leading eCommerce site of Israel, Walla! Shops attracts as many as 40,000 unique users each day that shop for a variety of products, including electronics, home appliances, sports equipment, furniture, and apparel and pay via Walla! Shops’ online payment portal.

Walla! Shops needed to protect its customers and ensure that customer data would not be exposed through their Web application. A customer data breach would not only reduce customer confidence but could also lead to brand damage and extensive financial burden for Walla! Shops. As a payment card processing merchant, Walla! Shops also had to comply with the Payment Card Industry Data Security Standard (PCI DSS). With this in mind, Walla! Shops started evaluating application security solutions to protect its eCommerce site against Web based attacks targeting customers’ sensitive data, including credit card data and other personally identifiable information.

After looking at other competitive solutions, Walla! Shops selected the Imperva SecureSphere Web Application Firewall. SecureSphere met the requirements of this customer. It was the only solution that could be deployed transparently inline as a layer 2 bridge without impacting the network.

“Transparency was very important for us and a major point in our decision when we were evaluating different solutions,” said Uri Laish, Vice President, R&D at Walla! Shops.

Business Problem

First and foremost, Walla! Shops needed to make sure that customers would have the assurance that they can perform payments securely—that their personal banking, credit card or other private information would not be exposed on the Web.

On a related note, Walla! Shops was required to meet the PCI DSS 6.6 requirement for securing its eCommerce application. In particular, the company needed to protect sensitive customer data that is being collected through its online payment portalincluding credit card data, customer names, addresses and ID numbers.

“As our business continues to grow with more and more credit cards being processed, we must have a solution in place to prevent this critical data from being stolen,” said Uri Laish.

Walla! Shops also aimed to minimize administrative overhead for security management and maintenance. They needed a solution that would automatically protect their application against new and emerging threats, without requiring manual intervention for application security updates and enforcement.

Technology Requirements

The SecureSphere Web Application Firewall provides application security for the Walla! Shops eCommerce site. The appliance is deployed in front of the Walla! Shops Web server in order to directly detect and block attacks targeted at the application, and to prevent sensitive data from being leaked out of the application or compromised by a malicious Web user. Deployed as a transparent layer 2 bridge, SecureSphere enables non-intrusive deployment without disrupting the application performance or availability. This is an important point, considering that the Walla! Shops’ Web application is highly dynamic with new users visiting and purchasing products from the site, which is available 24 hours a day, 7 days a week.

Also, considering that Walla! Shops intermittently introduces new products and pricing changes on its site, it was critical for the security solution deployed to accommodate these types of application changes automatically and accurately without introducing false positives or blocking valid users from making purchases on the site. SecureSphere has been built with this in mind. After being deployed, SecureSphere WAF automatically profiles the application by first learning normal usage of the application, and, thereafter, it automatically adapts itself to any changes in the application. This was a key requirement for Walla! Shops. The company needed an application security solution that would not require an administrator to manually tune the application each time a valid application change was made or after a user had accessed the Web application in an unexpected, but acceptable way-for example, entry of an unusually long last name in the corresponding form field of the Web page. “The SecureSphere product learned the application by itself and did not expect us to manually teach it. This saves us time and effort of ongoing tuning,” said Uri Laish.

The Intelligent Choice for Walla! Shops

Using SecureSphere, Walla! Shops is able to maintain a safe environment for its customers to purchase products online and to also achieve its PCI compliance goal.

SecureSphere helps Walla! Shops protect its customers by providing immediate protection of the eCommerce site against a variety of sophisticated applicationlevel attacks, including SQL injection, cookie tampering, cookie stealing and session hijacking attacks. With SecureSphere deployed, customers are protected from attempts to use a valid user’s credentials to either make unauthorized purchases on the Walla! Shops site or to steal the user’s financial account information. Such attempts will be flagged and blocked. Also, SecureSphere will alert Walla! Shops’ R&D staff to information regarding potential data leakage of credit card and other sensitive data. This allows Walla! Shops staff to implement measures to prevent a potentially damaging security breach.

For Walla! Shops, SecureSphere deserves a thumbs up for its ability to protect credit card data, to be transparently deployed into the network, and to automatically learn and update the security policy even as the application changes without requiring any manual tuning. “We needed to comply with PCI and application firewall,” said Uri Laish. “Imperva’s Web application firewall solution was the most professional and rose above the rest.”