While the retail sector has made progress on fixing security flaws, merchants still face a host of vulnerabilities in their software.

Chris Eng, chief research officer, Veracode

Retailers should be pleased with projections for this year’s holiday shopping season, especially online—Deloitte’s annual analysis predicts a 14% to 18% percent jump over last year, with total ecommerce sales rising to $144 billion.

That volume of spending could be a boon, but also marks a huge surge of data being handled by retailers—who is shopping, what they’re buying, their shopping habits and credit card information. This points to why this season is also critical from a security standpoint. Cybercriminals will increase attacks, probing for weaknesses and vulnerabilities to exploit retailers for potentially valuable data.

Most applications carry significant ‘security debt’ due to security bugs left unfixed.

The recently released 2019 Thales Data Threat Report revealed that 62% of U.S. retailers said they have been breached, and 37% said they were breached in the past year. Alarmingly, that report also found just 62% of retailers planned to increase security spending this year. While it isn’t new information that the retail sector is favorite target of cyberattacks, nearly 4 in 10 retailers said they consider themselves either very or extremely vulnerable to attack.

Why retailers must prioritize application security

A security breach disrupts operations and cause loss of revenue, along with the associated hit to a retailer’s reputation. The sector is a leader in digital transformation, deploying technologies online and in store that enhance the customer’s buying experience and its engagement with brands. That transformation is driven almost entirely by software and cloud-native applications, either built internally or resourced from third parties.


Every software application carries risk, making application security increasingly important for retailers who must protect sensitive customer information. Organizations are increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritizing the flaws that put them most at risk.

Recent research of more than 85,000 applications over a 12-month period found 83% of those applications had at least one flaw in the initial scan run by organizations. That report also found that most applications carry significant “security debt” due to security bugs left unfixed.

Common security flaws

Developers and security teams face common, persistent flaw types. The top two most common flaw types are Information Leakage and Cryptographic issues, followed by CRLF Injection and Code Quality. In fact, 23% of retail apps have SQL injection—a common precursor to breaches. Cross Site Scripting and Credentials Management flaws are also found in nearly half of all applications.

When compared to six other industry sectors (healthcare, finance, technology, government and education, manufacturing and infrastructure), most of the top 10 flaw categories show a lower prevalence among retailers.

Among the most positive achievements is that the retail sector carries the second fewest proportion of severe security flaws, and they are quicker than other sectors in addressing them. In short, this means retailers see the urgency in closing vulnerabilities in their applications and are reducing their exposure to threats.


Many retailers are showing an aptitude for remediating flaws quickly to help improve security and protect their high value information. This is promising, yet the persistence and prevalence of vulnerabilities that continues to plague retailers calls for both increased speed of fix and better prioritizing which flaws to fix first.

Veracode provides application security software.