Retail's State of Software Security and How It Can Improve from Here
April 22, 2021

Chris Wysopal

Retail may never be the same as it was pre-COVID and the pace of digital transformation keeps pushing faster. Worldwide online retail sales grew by more than 27 percent in 2020, and retailers "will likely ramp up their digital offerings as consumer shopping habits continue to lean in favor of ecommerce. An estimated 40% of consumers say they plan to shop in-store either the same amount or less after being vaccinated."

Because of the major uptick in volume in ecommerce, retailers' digital presence needs to be responsive and secure. Web applications need to meet customer demands for speed and a simple interface, but with 43% of all breaches occurring as a result of a vulnerable application layer, the security of these applications is critical.

Application security insights will be valuable and relevant for retailers on account of the growth of e-commerce and the revenue it is driving.

Veracode's recent State of Software Security report (SoSS) highlighted the frequency of vulnerabilities in applications across different industry verticals, including the retail and hospitality sector.

The report found that:

■ 26% of retail applications have high-severity security flaws

■ 76% of retail applications have flaws

■ 74% of total retail flaws are being fixed

To understand the context of this data, it's helpful to draw a comparison between how well retail and other industries secure applications and protect customers. The frequency of flawed retail applications is high, with more than three out of every four (76% to be exact) applications containing at least one flaw. Fortunately, regardless of this high volume of vulnerabilities, the retail industry's rate of fixing at 74% is second only to the financial services industry at 75%, and has a better rate than healthcare, manufacturing, technology and government verticals.

Retail, in addition to success in fix rate, has the best flaw-remediation speed, with the average application taking 125 days to fix half of its known defects. This means although the retail and hospitality sector begins with more flaws than some other industries, developers are relatively faster to recognize them, buckle down, and fix the flaws in an effort to improve the application's security and protect customer data.

In looking at this data, it's clear to see the promise of the retail industry's overall effectiveness in vulnerability detection and fixing, but it begs the question: What does all of this mean for retail amidst the ongoing COVID-19 pandemic? We have to understand there has been a new normal created for business and that normal is centered around e-commerce, which heavily drives up traffic across various applications.

An important figure to note from the SoSS report is that 55% of severe retail and hospitality flaws can be grouped into information leakage. If information leakage is exploited, it will deteriorate the consumer to business relationship. In addition, an exploitation of this type would heavily damage a company's brand and reputation.

Simply put, as online traffic, users, and applications increase, retail applications security must improve alongside it. Retail organizations must take on the responsibility of integrating security throughout the software development lifecycle, running security checks on their applications frequently, and using multiple types of scans, through both static and dynamic analysis, to identify defects. Following information leakage, the next top three flaw types are CRLF injection, cryptographic issues, and code quality. These flaws can be mitigated by implementing some sort of education program to build stronger, more secure code for retail applications.

Ultimately, every application will contain security defects, but to combat the unavoidable, developers and security teams should always strive to improve their ability to find and fix security issues with speed.

One way to achieve the goal of faster remediation speed and applications with fewer flaws involves educating the developers who build and deploy the applications on avoiding common security flaws and writing secure base code. This foundation will, in turn, make it much easier to fix flaws over time and increase remediation speed. From there, AppSec programs in retail organizations will be better prepared to handle faster release cycles without slowing down developers.

Chris Wysopal is Co-Founder and CTO of Veracode
Share this

Industry News

October 06, 2022 announced it has partnered with MongoDB.

October 06, 2022

Veracode announced the enhancement of its Continuous Software Security Platform to include container security.

This early access program for Veracode Container Security is now underway for existing customers.

The new Veracode Container Security offering, designed to meet the needs of cloud-native software engineering teams, addresses vulnerability scanning, secure configuration, and secrets management requirements for container images.

October 06, 2022

Mirantis announced that Mirantis Container Runtime – latest generation of the Docker Enterprise Engine, the secure container runtime that forms the foundation of Mirantis Container Cloud and Mirantis Kubernetes Engine and is used at the heart of many other Kubernetes deployments – is now available in the Microsoft Azure Marketplace.

October 05, 2022

Perforce Software announced enhanced support for automated testing with the release of Helix ALM 2022.2.

October 05, 2022

Parasoft announced the latest releases of its API and microservices testing tools, including SOAtest, Virtualize, CTP, and Selenic.

October 05, 2022

Vaadin announced the release of four Acceleration Kits designed to make it faster and easier to build and modernize Java applications for enterprise use.

October 04, 2022

Pegasystems announced the latest release of Robot Studio, the robotic process automation (RPA) low-code authoring environment for Pega's intelligent automation platform.

October 04, 2022

EvolveWare announced the Agile Business Rules Extraction (Agile BRE) solution on its Intellisys platform.

October 04, 2022

Mabl announced new features that empower quality professionals to easily validate APIs as part of their integrated end-to-end tests.

October 03, 2022

Spectro Cloud announced a major new release of its Palette Edge platform.

October 03, 2022

Arcion announced agentless change data capture (CDC) for all of its supported databases and applications.

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022 announced that the new Intel Developer Cloud is now available via the Metacloud platform, providing a fully integrated software and hardware solution.