Retailers Fix Software Flaws Quickly, Despite Continued Code Quality Issues

The 2018 holiday shopping season is off to a record-breaking start, thanks to consumers’ growing comfort with making online purchases and an increasing number of retailers offering Black Friday pricing starting on Thanksgiving. In fact, in the first two days of the shopping season, online retailers saw nearly $10 billion sales, with Adobe reporting that consumers in the U.S. alone spent $6.2 billion on Black Friday. For many, the ability to complete holiday shopping online and avoid crowded parking lots and throngs of people in a shopping center or mall is a relief. This may even trump any concerns they may have about privacy or fraud as they use credit cards and apps to make their purchases.

Retail’s State of Software Security Receives High Marks – Yet, There’s More to Be Done

The good news is Veracode’s State of Software Security Volume 9 (SOSS Vol. 9) found that retail is faster than most industries — second only to healthcare — when it comes to addressing common vulnerabilities found in software, thereby reducing risk exposure. Through our flaw persistence analysis or how long a flaw lingers after the first discovery, we found that the retail industry remediates a quarter of its vulnerabilities in 14 days, and 50 percent of flaws in 64 days. Retail outpaced the average fix speed at every interval across all industries, keeping consistent with its urgency to close vulnerabilities.

However, two-thirds (66 percent) of applications retailers use are at risk from information leakage attacks. This means that an application may reveal sensitive data that an attacker can then use to exploit the web application, its hosting network, or the user. Retail reported the third-most information leakage issues after technology and financial services. SOSS Vol. 9 also shows that the retail industry has the highest number of code quality flaws when compared to all other verticals at 65 percent. Code quality is the third most common vulnerability category across the board, following information leakage and cryptographic issues, suggesting that developing quality, secure code is an industry-wide issue for the retail sector.

“Vulnerabilities in applications can allow attackers seeking sensitive information such as consumer payment data a way in,” said Paul Farrington, Director of EMEA and APJ at Veracode. “Many retailers are showing an aptitude for remediating flaws quickly to help improve security and protect their high-value information. This is promising, yet the persistence and prevalence of vulnerabilities that continue to plague retailers call for both increased speed of fix and better prioritizing which flaws to fix first.”

Secure Software Development Education and the Skills Gap

It is estimated 3.5 million cybersecurity jobs will go unfilled by the year 2020. Our research shows 76 percent of developers say that security and secure development education is necessary – but not offered in current curriculums – so this hardly comes as a surprise. The onus falls on organizations such as retailers to ensure that their development teams are receiving the education necessary and are equipped with the appropriate tooling to make security a priority in the software development process.

As the retail industry offers new ways to buy, pick up, and ship goods, it is also increasing the threat landscape by producing a wider portfolio of web applications. It will be critical for them to ensure their developers have what they need to keep their systems and their customers’ sensitive information safe from potential cyber attacks.

To learn more about the retail industry’s security hygiene, download the free Retail Industry Infosheet.