Findings from Veracode research show sector could improve security with DevSecOps
BURLINGTON, Mass. – January 20, 2021 – Veracode, the largest global provider of application security testing (AST) solutions, released new findings that show the retail and hospitality sector fixes flaws in its software at a faster rate than five other sectors. The findings come from Veracode’s analysis of more than 130,000 applications.
The ability to find and fix potential security defects quickly is a necessity, particularly in an industry that requires rapid response to changing customer demands. Retail and hospitality also track a high volume of personal information about consumers through loyalty cards and membership accounts, tying into marketing data from third parties, which is enabled by more software. Web applications attacks are the primary vector for breaches in retail, with personal or payment data exploited in about half of all breaches, according to the 2020 Verizon Data Breach Investigations Report.
The research found 76% of applications in the retail and hospitality sector have at least one flaw, which is about average when compared to economic sectors such as financial services, technology, healthcare, and others. However, 26% of application flaws are high-severity issues – the second-largest proportion among all six sectors – that require urgent attention.
Veracode research shows that the retail and hospitality industry rank second-best for overall fix rate: half of its flaws are remediated in just 125 days, nearly one month faster than the next-fastest sector. While this may seem lengthy, half of flaws across all industries remain unfixed for much longer and may never be fixed at all.
“Retail and hospitality companies face the dual pressure of being high value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Chief Research Officer at Veracode. “Developers in the retail and hospitality sector appear to do a better job than others when dealing with issues related to information leakage and input validation. Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the most opportunity for improvement for development teams in the retail sector.”
Other findings reveal:
- The development environment is challenging for retail and hospitality businesses because their applications tend to be older and larger than other sectors;
- The industry fares well when comparing the prevalence of common flaw types, trending lower in categories like information leakage and input validation. Veracode’s research found that developers in the retail sector struggle with encapsulation, SQL injection, and credentials management issues. Using guidance from Veracode’s Heat Map, developers can prevent SQL injection attacks with secure coding practices, such as utilizing a parameterized query. For encapsulation flaws, blocking access to the affected application, database, or system is a crucial step to take, until it can be fully protected. Also, it remains crucial to back up your data and information so that you can return to business as usual if there is a ransomware attack. Finally, developers can reduce risk of a credentials management attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials; and
- Developer behavior in retail is middle-of-the-pack compared to other industries regarding scanning frequency, using dynamic scanning alongside static scanning, and the cadence of scans. Developers can apply DevSecOps practices like scanning more frequently, using more than one type of testing, and improving the cadence of scans to create more secure software.
For more information on common flaws and findings, download
About the State of Software Security Report
Veracode’s State of Software Security (SOSS) Volume 11 report is a comprehensive review of application security testing data from scans of more than 130,000 active applications conducted by Veracode’s customer base of more than 2,500 companies. This represents the industry’s most comprehensive set of application security benchmarks. Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand new threats and how developers can make applications better and more secure.