Holiday Alert: Retail Applications Need Security Improvements

By Greg Tavarez, TMCnet Editor  |  November 30, 2022

The pandemic led to enterprises taking safety precautions by sending employees home to work. For many, the result was a feeling of increased isolation. In reality, the result may have been just the opposite when considering the explosion in the use of advanced collaboration technologies at enterprises’ disposal. In some cases, people may have actually interacted more thanks to these tools.

Take the retail sector, for instance. When forced to shut in-person operations, retailers found ways to improve customer interactions across a variety of digital channels, including their branded mobile apps, which can leverage voice, video, messaging, and more – whatever customers prefer. Ultimately, the pandemic drove retailers, whether they have brick-and-mortar sites or not, to improve their mobile and web app capabilities – a change the probably needed to make anyway.

Despite the convenience, though, mobile applications also bring more complexities and, therefore, risks. Just look at the Log4j vulnerability in 2021. The scary truth is that, the retail and hospitality sectors, around three-quarters of applications contain security flaws. That’s according to Veracode’s “State of Software Security Report v12.”   To add to that, about 20% of the flaws are considered high severity.

What is considered a flaw? Server configuration, insecure dependencies and authentication issues are common types of application flaws across most industries. This is no different for the retail and hospitality sectors, except that they show higher percentages in nearly every flaw category due to the greater functional complexity of customer-facing and back-office applications.

The good news is that the retail industry is quicker than others at fixing flaws, with 25% of its flaws now fixed. Retailers that address flaws discovered by dynamic analysis security testing reach the halfway point at 70 days, which is 46 days faster than financial services, which is in second place.

Where the retail sector comes up short is with flaws in third-party libraries. Across all industries, 30% of vulnerable libraries are unresolved after two years, while the number rises to 35% for the retail sector. Luckily, open-source flaws are relatively easily fixed with an update, which is welcoming news for retailers looking to secure their software supply chains.

Still, the data shows the industry is in need of software security improvements, especially during the holiday season, where retailers need to take extra care to reinforce the security of their ecommerce systems, digital payment platforms and supply chains.

“With the average cost of a data breach in the retail sector calculated at $3.28 million, implementing robust tools and practices to secure the applications customers use to browse and make purchases is imperative,” said Chris Eng, chief research officer at Veracode.

The busy holiday shopping period is no time to put customers’ PII and business reputation at risk.




Edited by Erik Linask