73 Percent of Retail Applications Contain Security Flaws, but Only a Quarter Are Fixed
22.11.2022 15:50:00 EET | Business Wire | Press release
Veracode, a leading global provider of modern application security testing solutions, today revealed that almost three-quarters of applications in the retail & hospitality sector contain security flaws, but only 25 percent of these are fixed. Furthermore, 17 percent of these flaws are categorized as ‘high severity’, meaning they pose a serious risk to the business if exploited. With 76 percent of Americans planning to shop the Black Friday sales on 25 November*—and 56 percent planning to purchase entirely online**— retailers should take extra care to reinforce the security of their ecommerce systems, digital payment platforms, and supply chains.
The data was published in Veracode’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the retail, manufacturing, healthcare, financial services, technology, and government sectors.
Chris Eng, Chief Research Officer at Veracode, said, “Maintaining customer loyalty and trust is priority number one for retailers, and this will be heightened during the Black Friday period. With the average cost of a data breach in the retail sector calculated at $3.28 million***, implementing robust tools and practices to secure the applications customers use to browse and make purchases is imperative.”
Despite the relatively low number of flaws that are fixed, the retail industry takes second place for overall remediation rate, highlighting the need for software security improvements from organizations across all sectors. Eng said, “Compared with other sectors, retailers are better at fixing flaws when they’re discovered. While this is encouraging, it’s clear more needs to be done across the board to integrate flaw identification and remediation into the software development pipeline so that vulnerabilities can be addressed more efficiently.”
Server configuration, insecure dependencies, and authentication issues are the most common types of application flaws across most industries. The retail & hospitality sector follows a similar pattern; however, the sector has higher percentages in nearly every flaw category—perhaps due to the greater functional complexity of customer-facing and back-office applications.
Flaw Fix Times Fluctuate in Retail
Veracode analyzed three different scan types to generate industry comparisons for fix times: dynamic analysis security testing (DAST), static analysis security testing (SAST), and software composition analysis (SCA). Retailers were found to be the quickest to address flaws discovered by DAST, at 70 days to reach the halfway point, which is a staggering 46 days faster than financial services in second place. When it came to SAST and SCA, however, the retail sector fell to the middle of the pack, taking 346 days and 470 days respectively to reach the halfway fix point.
Across all industries, flaws in third-party libraries discovered through SCA persist for longer than those found through SAST and DAST, with 30 percent of vulnerable libraries still unresolved after two years. For the retail sector, that statistic rises to 35 percent and lags the cross-industry average by more than six months. Nevertheless, retailers should be assured that the gap is never too wide to close. Indeed, Veracode’s 2021 State of Software Security report found 92 percent of open-source flaws can be easily fixed with a simple update, which is good news for retailers looking to secure their software supply chains.
In the run-up to Black Friday, and nearly one year since the infamous Log4j vulnerability was first reported, retailers will be on high alert to maintain the speed, efficiency, and security of their applications. Businesses should take extra care to uncover vulnerabilities in third-party software using a combination of SCA and development tools. Using this approach with Veracode, Darius Radford, Application Security Architect at specialty retailer Floor & Decor, was able to get a comprehensive view of risk posed by vulnerable libraries in the company’s software: “We were able to quickly figure out all the places running Log4j and remediate the situation.” Trey Tunnel, Floor and Decor’s Chief Information Security Officer, added, “Our customers are our top priority. With Veracode, we have the confidence that our software is secure and—more importantly—our customers have the confidence that our software is secure.”
The Veracode State of Software Security v12 retail & hospitality snapshot is available to download here and the full report is available here.
* Future Publishing, “Exploring the impact of rising inflation”, June 2022, https://go.future-advertising.com/Rising-Inflation-Research-Insights.html
** Dot Digital, “Black Friday Stats: Everything You Need to Know (updated 2022), Jenna Paton, 20 September 2022, https://dotdigital.com/blog/black-friday-cyber-monday-stats/
*** IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”, July 2022, https://www.ibm.com/downloads/cas/3R8N1DZJ
About the State of Software Security Report
The Veracode State of Software Security (SoSS) v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.
The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.
About Veracode
Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at www.veracode.com, on the Veracode blog and on Twitter.
Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.
To view this piece of content from cts.businesswire.com, please give your consent at the top of this page.
View source version on businesswire.com: https://www.businesswire.com/news/home/20221122005446/en/
Contact information
Katy Gwilliam
kgwilliam@veracode.com
About Business Wire
For more than 50 years, Business Wire has been the global leader in press release distribution and regulatory disclosure.
Subscribe to releases from Business Wire
Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.
Latest releases from Business Wire
Agenus Announces Oversubscribed Private Placement of Up to $340 Million to Advance Registrational ROBBIN Trial of Neoadjuvant BOT+BAL in MSS Colon Cancer13.7.2026 13:00:00 EEST | Press release
Agenus Inc. (Nasdaq: AGEN), a leader in immuno-oncology innovation, today announced that it has entered into a securities purchase agreement for a private placement of approximately $85 million in upfront gross proceeds, before the deduction of private placement expenses, and up to an additional $255 million upon the full exercise of purchase warrants. The financing was led by Commodore Capital, with participation from RA Capital Management, TCGX, Invus, and Ligand Pharmaceuticals. The net proceeds of this financing are expected to support Agenus’ strategic prioritization of botensilimab and balstilimab (BOT+BAL) for the neoadjuvant treatment of microsatellite-stable (MSS) colon cancer, including advancement of ROBBIN1, the Company’s planned registrational Phase 3 neoadjuvant trial in microsatellite-stable (MSS) colon cancer. High-risk Stage II and Stage III MSS colon cancer affect an estimated 38,000 patients annually in the US and more than 200,000 patients worldwide,2 representing a
Zayed Sustainability Prize Closes 2027 Submissions with Strong Global Participation13.7.2026 12:48:00 EEST | Press release
The Zayed Sustainability Prize, the UAE’s pioneering award for innovative solutions to global challenges, has officially closed submissions for its 2027 awards cycle, receiving an unprecedented 10,233 entries from 177 countries across its six categories of Health, Food, Energy, Water, Climate Action and Global High Schools. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260713519403/en/ Zayed Sustainability Prize Closes 2027 Submissions with Strong Global Participation (Photo: AETOSWire) Now in its 18th year, the Prize continues to attract a diverse and growing pool of small and medium-sized enterprises, nonprofit organisations and high schools developing solutions that improve lives, particularly in vulnerable and underserved communities. This year’s submissions point to a growing emphasis on resilience, adaptability and systems-level impact. Across regions, applicants are addressing complex global challenges through practi
Ant Group Open-Sources SingGuard-NSFA to Establish New Security Paradigms for Autonomous AI Agents13.7.2026 12:01:00 EEST | Press release
Ant Group’s AI Security Lab today announced the open-source release of SingGuard-NSFA, a specialized security guardrail framework designed specifically for autonomous AI agents. The framework secures agentic AI systems against operational threats like prompt injection, addressing critical vulnerabilities as AI transitions from passive content generation to active, autonomous execution. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260712722454/en/ As AI agents rapidly move from research labs to business scenarios, the security landscape has fundamentally shifted. The explosive global adoption of open-source agent frameworks like OpenClaw, celebrated for their "one-click deployment" and "full-stack autonomy", has simultaneously exposed significant operational risks, including permission escalation and prompt injection. Industry frameworks, including the OWASP (Open Web Application Security Project) Top 10 for Agentic Applica
Incyte Presents Phase 1/2 Multidose Data for VGA039 (Latarcibart) at ISTH 2026, Showing Substantial Bleed Reductions in Patients with all Von Willebrand Disease Types13.7.2026 11:00:00 EEST | Press release
Incyte (Nasdaq: INCY) today announced complete safety and efficacy data from all patients (n=16) enrolled in the Phase 1/2 multidose study of VGA039 (latarcibart), a novel, Protein S-targeting, investigational monoclonal antibody for patients with von Willebrand disease (VWD). The data are being shared in an oral presentation today at the 34th Congress of the International Society on Thrombosis and Haemostasis (ISTH 2026 Congress) in Paris. Latarcibart modulates Protein S to improve hemostasis, potentially enhancing the body’s ability to prevent or reduce the frequency of bleeding episodes. Latarcibart is in pivotal Phase 3 development for patients with VWD, the most common inherited bleeding disorder. If approved, latarcibart has the potential to be the first, once monthly subcutaneous prophylactic therapy for patients with VWD, offering an important alternative to the frequent intravenous infusions of replacement factor concentrates commonly used in the prophylactic setting today. Gi
Europe’s Demand for Tech Services Accelerates in Q2, As Spending on AI and Managed Services Rises: ISG Index™13.7.2026 11:00:00 EEST | Press release
Demand for technology services in Europe continued to accelerate in the second quarter, as the region increasingly turns to managed services to reduce costs and cloud services to meet AI objectives, according to the latest state-of-the-industry report from Information Services Group (ISG) (Nasdaq: III), a global AI-centered technology research and advisory firm. The EMEA ISG Index™, which measures commercial outsourcing contracts with annual contract value (ACV) of US $5 million or more, shows second-quarter ACV for the combined market (both managed services and cloud-based as-a-service) soared 46 percent—its largest growth in eight years—to US $13.0 billion. The latest quarter adds to a string of three straight quarters in which growth has averaged 33 percent. “Europe has become the fastest-growing region for technology services, fueled not only by an increasing demand for AI, but for managed services, which acts as a cost-savings lever to help fund AI ambitions and continued digital
In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.
Visit our pressroom
