Retail and Hospitality Sector Has Impressive Fix Rate, but Room to Improve

Over the past year, the retail and hospitality industries have been forced to adapt to the “new normal.” Since lockdowns and health concerns have prevented or dissuaded in-person shopping or dining, the new normal has been e-commerce. Smaller businesses not equipped for the increase in e-commerce have had to undergo rapid digital transformation in order to stay afloat. But, unfortunately, e-commerce was not the only thing to increase in 2020. Cyberattackers have been taking advantage of the influx of digital activity.

This is especially concerning because, according to our recent State of Software Security (SOSS) report, 76 percent of applications in the retail and hospitality sector have a security vulnerability and 26 percent have high-severity security vulnerabilities.

But, on a positive note, our SOSS findings also revealed that when compared to other industries, retail and hospitality have the second-best fix rate and the best median time to remediate security flaws. This means that even though the industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws. As Chris Eng, Chief Research Officer at Veracode explains, “If retailers are constantly having to push out code containing business logic to support new promotions, that might account for the fix times.”

Retail and hospitality

The SOSS report also examined how the “nature” of applications and how we “nurture” them contribute to the time it takes to close out a security flaw. We found that the “nature” of applications – like organization or application size, application age, or flaw density – can affect how long it takes to remediate a security flaw. But, taking steps to “nurture” the security of applications – like using multiple application security (AppSec) testing types, scanning frequently and steadily, and utilizing APIs – can also influence how long it takes to remediate security flaws.

For the retail and hospitality industries, we found that they have a low flaw density relative to other sectors, but the applications tend to be old and larger. We also found that the sector is not consistently using DevSecOps best practices like scanning frequently in an automated way. If developers start following the best practices regularly, the retail and hospitality industries can remediate flaws and chip away at security debt faster.

Retail and hospitality nature vs nurture chart

Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach. In fact, injection flaws are considered by OWASP Top 10 to be the number one, most critical security risk to web applications.

For more information on software security trends in the retail and hospitality industries, check out The State of Software Security Industry Snapshot.

 

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.