Devs in Retail and Hospitality Fix Flaws Faster, Veracode Report Concludes

A new report from Application Security Testing (AST) solutions provider Veracode shows that software developers working in the retail and hospitality sector are fixing flaws in their companies' software at a faster rate than five other sectors--despite having to work with applications that tend to be older and larger than other sectors. 

The findings come from Veracode's analysis of more than 130,000 applications.

Quick responses to software flaws and security breaches are especially important in these industry sectors, which is already used to rapidly responding to changing customer demands, the company noted. Consequently, retail and hospitality tend to track a high volume of personal information about consumers through loyalty cards and membership accounts, which makes protecting their data and systems even more important. Web applications attacks are the primary vector for breaches in retail, the Veracode report points out, with personal or payment data exploited in about half of all breaches, according to the 2020 Verizon Data Breach Investigations Report.

Veracode research shows that retail and hospitality ranks second-best for overall fix rate, because half of its flaws are remediated in just 125 days. This may seem like a long time, but it's nearly one month faster than the next-fastest sector.

"Retail and hospitality companies face the dual pressure of being high value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI," said Chris Eng, Veracode's Chief Research Officer, in a statement. "Developers in the retail and hospitality sector appear to do a better job than others when dealing with issues related to information leakage and input validation. Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the most opportunity for improvement for development teams in the retail sector."

Another finding worth noting: Developer behavior in retail is middle-of-the-pack compared to other industries regarding scanning frequency, using dynamic scanning alongside static scanning, and the cadence of scans. Developers can apply DevSecOps practices like scanning more frequently, using more than one type of testing, and improving the cadence of scans to create more secure software.

Veracode's native SaaS solution is designed to enable companies to move AppSec to the cloud securely, and it supports cloud-native applications "while empowering developers to fix, not just find, flaws," the company says. Veracode has helped customers fix more than 10.5 million security defects in their software via analysis of more than 7.8 trillion lines of code between Jan. 1, 2020, and Oct. 5, 2020, the company says.

More information about the state of software security in the retail and hospitality sector is available in Veracode's report.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].