Saturday, July 13, 2024

73% of retail applications have security flaws, yet only a quarter of them have been fixed

Almost three-quarters of apps in the retail and hospitality sectors have security problems, but only 25% of them have been patched, according to a top global provider of modern application security testing tools. Furthermore, 17% of these issues are classified as “high severity,” which means that, if exploited, they pose a significant risk to the company.

Retailers should take additional care to strengthen the security of their e-commerce systems, digital payment platforms, and supply chains given that 76 percent of Americans plan to shop the Black Friday sales on November 25* and 56 percent plan to make their full purchase online**.

The data was published in Veracode’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the retail, manufacturing, healthcare, financial services, technology, and government sectors.

Chris Eng, Chief Research Officer at Veracode, said, “Maintaining customer loyalty and trust is priority number one for retailers, and this will be heightened during the Black Friday period. With the average cost of a data breach in the retail sector calculated at $3.28 million***, implementing robust tools and practices to secure the applications customers use to browse and make purchases is imperative.”

Despite the relatively low number of flaws that are fixed, the retail industry takes second place for overall remediation rate, highlighting the need for software security improvements from organizations across all sectors. Eng said, “Compared with other sectors, retailers are better at fixing flaws when they’re discovered. While this is encouraging, it’s clear more needs to be done across the board to integrate flaw identification and remediation into the software development pipeline so that vulnerabilities can be addressed more efficiently.”

Recommended:  Inadvertently, a researcher crashes the KmsdBot Cryptocurrency mining Botnet

Server configuration, insecure dependencies, and authentication issues are the most common types of application flaws across most industries. The retail & hospitality sector follows a similar pattern; however, the sector has higher percentages in nearly every flaw category—perhaps due to the greater functional complexity of customer-facing and back-office applications.

Flaw Fix Times Fluctuate in Retail

Veracode analyzed three different scan types to generate industry comparisons for fix times: dynamic analysis security testing (DAST), static analysis security testing (SAST), and software composition analysis (SCA). Retailers were found to be the quickest to address flaws discovered by DAST, at 70 days to reach the halfway point, which is a staggering 46 days faster than financial services in second place. When it came to SAST and SCA, however, the retail sector fell to the middle of the pack, taking 346 days and 470 days respectively to reach the halfway fix point.

Across all industries, flaws in third-party libraries discovered through SCA persist for longer than those found through SAST and DAST, with 30 percent of vulnerable libraries still unresolved after two years. For the retail sector, that statistic rises to 35 percent and lags the cross-industry average by more than six months. Nevertheless, retailers should be assured that the gap is never too wide to close. Indeed, Veracode’s 2021 State of Software Security report found 92 percent of open-source flaws can be easily fixed with a simple update, which is good news for retailers looking to secure their software supply chains.

In the run-up to Black Friday, and nearly one year since the infamous Log4j vulnerability was first reported, retailers will be on high alert to maintain the speed, efficiency, and security of their applications. Businesses should take extra care to uncover vulnerabilities in third-party software using a combination of SCA and development tools. Using this approach with Veracode, Darius Radford, Application Security Architect at specialty retailer Floor & Decor, was able to get a comprehensive view of risk posed by vulnerable libraries in the company’s software: “We were able to quickly figure out all the places running Log4j and remediate the situation.” Trey Tunnel, Floor and Decor’s Chief Information Security Officer, added, “Our customers are our top priority. With Veracode, we have the confidence that our software is secure and—more importantly—our customers have the confidence that our software is secure.”

Recommended:  Employees Have Access to an Average of 10 Million Files

The Veracode State of Software Security v12 retail & hospitality snapshot is available to download here and the full report is available here.

About the State of Software Security Report

The Veracode State of Software Security (SoSS) v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.

The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.

About Veracode

Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at, on the Veracode blog and on Twitter.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy


Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Recommended:  Crypto and the US government are headed for a decisive showdown
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates