Retail and Hospitality Outpaces Other Sectors in Fixing Software Security Vulnerabilities, According to Veracode

Findings from Veracode research show sector could improve security with DevSecOps

Veracode, the largest global provider of application security testing (AST) solutions, released new findings that show the retail and hospitality sector fixes flaws in its software at a faster rate than five other sectors. The findings come from Veracode’s analysis of more than 130,000 applications.

“Retail and hospitality companies face the dual pressure of being high value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI”

The ability to find and fix potential security defects quickly is a necessity, particularly in an industry that requires rapid response to changing customer demands. Retail and hospitality also track a high volume of personal information about consumers through loyalty cards and membership accounts, tying into marketing data from third parties, which is enabled by more software. Web applications attacks are the primary vector for breaches in retail, with personal or payment data exploited in about half of all breaches, according to the 2020 Verizon Data Breach Investigations Report.

Recommended AI News: ClearPoint Neuro Announces First Procedure Utilizing ClearPoint 2.0 Software

The research found 76% of applications in the retail and hospitality sector have at least one flaw, which is about average when compared to economic sectors such as financial services, technology, healthcare, and others. However, 26% of application flaws are high-severity issues – the second-largest proportion among all six sectors – that require urgent attention.

Veracode research shows that the retail and hospitality industry rank second-best for overall fix rate: half of its flaws are remediated in just 125 days, nearly one month faster than the next-fastest sector. While this may seem lengthy, half of flaws across all industries remain unfixed for much longer and may never be fixed at all.

Recommended AI News: Absolute Software Helps Customers Secure Remote Access and Communication

“Retail and hospitality companies face the dual pressure of being high value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Chief Research Officer at Veracode. “Developers in the retail and hospitality sector appear to do a better job than others when dealing with issues related to information leakage and input validation. Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the most opportunity for improvement for development teams in the retail sector.”

Other findings reveal:

• The development environment is challenging for retail and hospitality businesses because their applications tend to be older and larger than other sectors;
• The industry fares well when comparing the prevalence of common flaw types, trending lower in categories like information leakage and input validation. Veracode’s research found that developers in the retail sector struggle with encapsulation, SQL injection, and credentials management issues. Using guidance from Veracode’s Heat Map, developers can prevent SQL injection attacks with secure coding practices, such as utilizing a parameterized query. For encapsulation flaws, blocking access to the affected application, database, or system is a crucial step to take, until it can be fully protected. Also, it remains crucial to back up your data and information so that you can return to business as usual if there is a ransomware attack. Finally, developers can reduce risk of a credentials management attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials; and
• Developer behavior in retail is middle-of-the-pack compared to other industries regarding scanning frequency, using dynamic scanning alongside static scanning, and the cadence of scans. Developers can apply DevSecOps practices like scanning more frequently, using more than one type of testing, and improving the cadence of scans to create more secure software.