Retail and Hospitality Facing Deluge of Critical Web App Flaws

More than three-quarters of applications in the retail and hospitality sector contain at least one vulnerability, with a high percentage of these requiring urgent attention, according to Veracode.

The application security vendor analyzed more than 130,000 applications to compile its latest State of Software Security report.

However, while the 76% of buggy apps in the retail and hospitality sector is about average compared to other verticals, Veracode warned that 26% are high severity — one of the worst rates of any industry.

This matters, as the industry has been delivering a raft of new applications in order to reach customers online during the pandemic, amid social distancing and lockdowns. It’s especially important to hospitality firms, which have been forced to radically reshape their business models to adapt to the new reality.

Yet while web applications can be a life-saver for such businesses, they might also introduce extra cyber-risk. They were involved in 43% of breaches analyzed by Verizon last year and were the number one attack vector for the retail industry, with personal or payment data exploited in about half of all breaches.

That said, retail and hospitality ranked second-best for overall fix rate, according to Veracode. Half of its flaws were remediated in 125 days, which is nearly one month faster than the next-fastest sector.

Veracode claimed that, although retail and hospitality firms did well at addressing common flaw types like information leakage and input validation, developers struggled with encapsulation, SQL injection and credentials management issues.

“Retail and hospitality companies face the dual pressure of being high-value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Veracode chief research officer.

“Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the best opportunity for improvement for development teams in the sector.”

What’s Hot on Infosecurity Magazine?