Top 4 Tips for Retailers to Secure Their Sites

VER VER10 002 SURV SoS Security Key Takeaway 1


Imagine being in the midst of the holiday season and opening an anonymous email claiming to have captured data from hundreds of thousands of customer records, which will be released unless you pay up. Although it is better than waking up to find that the records have already been published on a dark web black market, it is still one more IT problem to deal with during the already overwhelming holiday season.

This year’s Black Friday online sales hit a new record of $3.34 billion—the first time it broke the $3 billion mark—according to Adobe Digital Insights. For IT teams at retail organizations, this means constantly having to keep up with the flood of traffic, in turn often overlooking security in the process.

Put simply, the holiday season is not just busy for the average shopper. Working on holding together new pages and applications or devoting extra resources to mission critical applications like payment authorization tools and shopping carts can be a lot of work. All the moving parts make it easy to slip up on security, in turn, putting both the company and its customers at risk.

We found evidence of this in Veracode’s most recent State of Software Security (SOSS) Report, which pulled together insights from code-level analysis of 300,000 application security assessments. Our research found that 62 percent of applications in the retail and hospitality industries did not pass security tests on their first try. And even after those issues were discovered, only 67 percent of the vulnerabilities discovered were fixed, leaving sensitive consumer and business information out in the open for hackers.

The biggest issue for the retail and hospitality industry was poor code quality (69 percent of applications), which often results from poor coding practices like improper use of resources, in turn leaving applications vulnerable to denial of service (DOS) attacks. More troubling were the cryptographic issues. For example, the use of cryptographic algorithms broken by attackers or failure to properly secure Internet communications, possibly allowing attackers to steal credit card data or credentials. These cryptographic issues affected 68% of applications in this industry. Although after years of effort to combat SQL Injection vulnerabilities, which allow an attacker to change or steal information from a database, this issue still affects one out of every three retail applications.

Although simple to fix, unfortunately these kinds of vulnerabilities are easy to overlook in the rush to build and deploy more apps in time for the holidays. To avoid negative outcomes that may come from an overlooked flaw, it is important for developers and security teams to work together early in the development process to prevent or fix vulnerabilities before they put others at risk.

VER VER10 002 SURV SoS Security Key Takeaway 3Here are some general tips to help keep websites safe this holiday season and beyond:

Remember that External Security Measures Can Fail

Existing security measures intended to surround and protect web applications routinely fail, with over half of web applications affected by misconfigured secure communications or security defenses. While it is important to make sure that you are using firewalls, antivirus software and other dynamic technology to protect running applications from attacks, they are not meant to protect against everything. You still need good application security hygiene to ensure that even if hackers can get past those first lines of defense, they cannot use your applications against you.

VER VER10 002 SURV SoS Security Key Takeaway 4Cover All Your Bases

No single testing mechanism is going to solve all application security problems. For instance, there are significant differences in the types of vulnerabilities that are commonly discovered by looking at running applications through dynamic testing when compared to those found through analysis of raw code with static tests. While dynamic testing can provide a valuable outside perspective, static testing helps identify vulnerabilities inherent in the code and can be done far earlier in the development process. By combining both techniques across the life of the application, organizations can find and address more kinds of vulnerabilities and drive down application risk. It takes a balanced approach to properly evaluate and mitigate the risks.

Protecting Applications is a Continuous Process:

Fewer than four out of 10 applications pass security policy requirements on initial assessment. This is not a huge problem as nothing is perfect in its first iteration. However, it does mean that the developer and security teams need to spend time looking for and more importantly, fixing vulnerabilities. This is critical not just for proprietary code but also for third-party commercial code, which we have found often has more vulnerabilities than internally-developed applications. As such, it is just as important to know what vulnerabilities are present in all applications used by your service providers and to apply patches and updates promptly when delivered, as it is for internal applications.

Developer Education is the Key:

Moving to modern development practices that have a greater emphasis on efficient code releases means quickly released code and easier pivots when needed. However, modern development techniques require security to become a part of process earlier in the development cycle. Educate your developers on best practices for secure development to achieve this. Remediation coaching and eLearning can help developer fix as many as six times more vulnerabilities.

A good application security program should not just focus on pointing out flaws but also on educating developers. If they receive positive feedback on where they are using secure coding practices, developers are more apt to avoid mistakes in the future—meaning secure code comes straight from your developers’ fingers, rather than from downstream processes.

The battle for good application security is never over. And while it is easy to overlook during the hustle and bustle of the busy holiday season, it still requires the same effort and attention to ensure that your websites and customers are safe.

TimJarrett VeracodeHeadshot

About the Author

Tim Jarrett is Senior Director of Security at Veracode. A Grammy-award winning product professional, he joined Veracode in 2008 and has a Bacon number of 3. He can be found on Twitter as @tojarrett.

Other Point of Sale articles of interest: