The COVID-19 pandemic has upended retail and accelerated digital transformation: Online retail surged in 2020, and U.S. holiday e-commerce sales rose a whopping 49% from the previous year.
With so much volume, retailers’ digital presence must be robust and secure. Web applications need to meet customer demands for ease of use and speed, but with 43% of all breaches occurring as a result of a vulnerability at the application layer, the security of these applications is paramount.
With the spike in online retail — and corresponding importance placed on these applications to drive revenue — retailers can benefit from insight into securing their applications.
Veracode’s recent State of Software Security Report (SoSS) highlighted the frequency of vulnerabilities in applications across different industry verticals, including the retail and hospitality sector. The report found that:
- 26% of retail applications have high-severity security flaws
- 76% of retail applications have flaws
- 74% of total retail flaws are being fixed
To make sense of this data, we can compare the retail sector against other industries to find out how well retailers are securing applications and protecting their customers. The frequency of flawed retail applications is high, with more than three out of every four applications containing at least one flaw. Despite this daunting prevalence of vulnerabilities, retail has one of the best rates of fixing software flaws at 74%, second to only financial services at 75%, and better than healthcare, manufacturing, technology and government verticals.
Similar to this success in fix rate, retailers have the best flaw-remediation speed, with the average application requiring 125 days to fix half of its known defects. While retail and hospitality start out with more flaws than some other industries, developers are quick to dig in and fix those flaws in an effort to improve application security and protect customer data.
Overall, the retail industry’s effectiveness for fixing vulnerabilities in applications is promising. But what does it mean in the context of the past year? The new normal has impacted every industry and pushed business even further into the digital realm, meaning more traffic across applications everywhere. This holds especially true for industries like retail.
It’s worth noting the SoSS report found that 55% of severe retail and hospitality flaws fell into the category of information leakage. This type of flaw, if exploited, could ruin the trust customers have with retail brands and tarnish a brand’s reputation. The bottom line is that as more customer interactions shift online, retail application security must continue to improve. Organizations must rise to the challenge to continue integrating security throughout the software development lifecycle, running security checks on their applications frequently and regularly, and using multiple types of scans, through both static and dynamic analysis, to identify defects.
While application security teams should strive to continue to improve remediation speed, one of the best ways retail can improve its security posture is to limit the number of flaws going into applications to begin with.
Providing security education to the developers who are building and deploying these applications would help achieve this goal. Training developers on how to avoid common security flaws and write secure code from the start will reduce the number of new flaws, which in turn will make it easier to fix existing flaws over time. From there, AppSec programs in retail organizations will be better prepared to handle faster release cycles without slowing down developers.
Chris Eng is chief research officer at Veracode.