The retail and hospitality sector is fixing software flaws at a faster rate than five other sectors, a Veracode analysis of more than 130,000 applications reveals.
The ability to find and fix potential security defects quickly is a necessity, particularly in an industry that requires rapid response to changing customer demands.
Retail and hospitality also track a high volume of personal information about consumers through loyalty cards and membership accounts, tying into marketing data from third parties, which is enabled by more software. Web application attacks are the primary vector for breaches in retail, with personal or payment data exploited in about half of all breaches.
Fixing software flaws in the retail and hospitality sector
The research found 76% of applications in the retail and hospitality sector have at least one flaw, which is about average when compared to economic sectors such as financial services, technology, healthcare, and others. However, 26% of application flaws are high-severity issues – the second-largest proportion among all six sectors – that require urgent attention.
The research shows that the retail and hospitality industry rank second-best for overall fix rate: half of its flaws are remediated in just 125 days, nearly one month faster than the next-fastest sector. While this may seem lengthy, half of flaws across all industries remain unfixed for much longer and may never be fixed at all.
“Retail and hospitality companies face the dual pressure of being high value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Chief Research Officer at Veracode.
“Developers in the retail and hospitality sector appear to do a better job than others when dealing with issues related to information leakage and input validation. Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the most opportunity for improvement for development teams in the retail sector.”
Encapsulation, SQL injection, and credentials management issues
The development environment is challenging for retail and hospitality businesses because their applications tend to be older and larger than other sectors.
The industry fares well when comparing the prevalence of common flaw types, trending lower in categories like information leakage and input validation. The research found that developers in the retail sector struggle with encapsulation, SQL injection, and credentials management issues.
For encapsulation flaws, blocking access to the affected application, database, or system is a crucial step to take, until it can be fully protected. Also, it remains crucial to back up your data and information so that you can return to business as usual if there is a ransomware attack.
Finally, developers can reduce risk of a credentials management attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials.
Developer behavior in retail is middle-of-the-pack compared to other industries regarding scanning frequency, using dynamic scanning alongside static scanning, and the cadence of scans. Developers can apply DevSecOps practices like scanning more frequently, using more than one type of testing, and improving the cadence of scans to create more secure software.