Business Wire

MA-VERACODE

22.11.2022 13:51:37 CET | Business Wire | Press release

Share
73 Percent of Retail Applications Contain Security Flaws, but Only a Quarter Are Fixed

Veracode, a leading global provider of modern application security testing solutions, today revealed that almost three-quarters of applications in the retail & hospitality sector contain security flaws, but only 25 percent of these are fixed. Furthermore, 17 percent of these flaws are categorized as ‘high severity’, meaning they pose a serious risk to the business if exploited. With 76 percent of Americans planning to shop the Black Friday sales on 25 November*—and 56 percent planning to purchase entirely online**— retailers should take extra care to reinforce the security of their ecommerce systems, digital payment platforms, and supply chains.

The data was published in Veracode’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the retail, manufacturing, healthcare, financial services, technology, and government sectors.

Chris Eng, Chief Research Officer at Veracode, said, “Maintaining customer loyalty and trust is priority number one for retailers, and this will be heightened during the Black Friday period. With the average cost of a data breach in the retail sector calculated at $3.28 million***, implementing robust tools and practices to secure the applications customers use to browse and make purchases is imperative.”

Despite the relatively low number of flaws that are fixed, the retail industry takes second place for overall remediation rate, highlighting the need for software security improvements from organizations across all sectors. Eng said, “Compared with other sectors, retailers are better at fixing flaws when they’re discovered. While this is encouraging, it’s clear more needs to be done across the board to integrate flaw identification and remediation into the software development pipeline so that vulnerabilities can be addressed more efficiently.”

Server configuration, insecure dependencies, and authentication issues are the most common types of application flaws across most industries. The retail & hospitality sector follows a similar pattern; however, the sector has higher percentages in nearly every flaw category—perhaps due to the greater functional complexity of customer-facing and back-office applications.

Flaw Fix Times Fluctuate in Retail

Veracode analyzed three different scan types to generate industry comparisons for fix times: dynamic analysis security testing (DAST), static analysis security testing (SAST), and software composition analysis (SCA). Retailers were found to be the quickest to address flaws discovered by DAST, at 70 days to reach the halfway point, which is a staggering 46 days faster than financial services in second place. When it came to SAST and SCA, however, the retail sector fell to the middle of the pack, taking 346 days and 470 days respectively to reach the halfway fix point.

Across all industries, flaws in third-party libraries discovered through SCA persist for longer than those found through SAST and DAST, with 30 percent of vulnerable libraries still unresolved after two years. For the retail sector, that statistic rises to 35 percent and lags the cross-industry average by more than six months. Nevertheless, retailers should be assured that the gap is never too wide to close. Indeed, Veracode’s 2021 State of Software Security report found 92 percent of open-source flaws can be easily fixed with a simple update, which is good news for retailers looking to secure their software supply chains.

In the run-up to Black Friday, and nearly one year since the infamous Log4j vulnerability was first reported, retailers will be on high alert to maintain the speed, efficiency, and security of their applications. Businesses should take extra care to uncover vulnerabilities in third-party software using a combination of SCA and development tools. Using this approach with Veracode, Darius Radford, Application Security Architect at specialty retailer Floor & Decor, was able to get a comprehensive view of risk posed by vulnerable libraries in the company’s software: “We were able to quickly figure out all the places running Log4j and remediate the situation.” Trey Tunnel, Floor and Decor’s Chief Information Security Officer, added, “Our customers are our top priority. With Veracode, we have the confidence that our software is secure and—more importantly—our customers have the confidence that our software is secure.”

The Veracode State of Software Security v12 retail & hospitality snapshot is available to download here and the full report is available here.

* Future Publishing, “Exploring the impact of rising inflation”, June 2022, https://go.future-advertising.com/Rising-Inflation-Research-Insights.html
** Dot Digital, “Black Friday Stats: Everything You Need to Know (updated 2022), Jenna Paton, 20 September 2022, https://dotdigital.com/blog/black-friday-cyber-monday-stats/
*** IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”, July 2022, https://www.ibm.com/downloads/cas/3R8N1DZJ

About the State of Software Security Report

The Veracode State of Software Security (SoSS) v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.

The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.

About Veracode

Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

To view this piece of content from cts.businesswire.com, please give your consent at the top of this page.

View source version on businesswire.com: https://www.businesswire.com/news/home/20221122005446/en/

About Business Wire

Business Wire
Business Wire
101 California Street, 20th Floor
CA 94111 San Francisco

http://businesswire.com
DK

Subscribe to releases from Business Wire

Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from Business Wire

KATE Launches "KABUKE: Break Convention" Kabuki-Inspired International Campaign17.7.2026 09:00:00 CEST | Press release

Where “NO MORE RULES.” intersects with the Kabuku spirit. Inspired by Japanese aesthetics, KATE shares the value of shadow enhancing makeup and self‑expression with the world. Global cosmetics brand KATE launched “KABUKE: Break Convention,” a new international campaign drawing on elements of Kabuki, the traditional Japanese performing art. The campaign debuted on Wednesday, July 8, 2026. In this campaign, KATE’s shadow enhancing makeup—rooted in Japanese aesthetics—was paired with the Kabuki spirit inherited from traditional Kabuki theater to communicate the value of individuality and self‑expression through makeup on a global scale. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260708829427/en/ KATE international campaign “KABUKE: Break Convention” key visual. Dedicated website: https://www.kate-global.net/my/special/kate_kabuki/ Since its founding, KATE has championed the slogan “NO MORE RULES.,” offering makeup that defi

Meiji Seika Pharma: Results from the Global Phase III Trial (Integral-2) of Nacubactam, a Novel β-Lactamase Inhibitor, Highlighted in The Lancet Microbe’s Coverage of ESCMID Global Congress 202617.7.2026 03:00:00 CEST | Press release

Meiji Seika Pharma Co., Ltd. (Headquarters: Tokyo, President and Representative Director: Toshiaki Nagasato) today announced that results from the global Phase III trial (Integral-2) of nacubactam (Development Code: OP0595), a novel β-lactamase inhibitor, were highlighted in The Lancet Microbe’s coverage of ESCMID Global Congress 2026 (held in Munich, Germany). As highlighted in The Lancet Microbe’s coverage, the key findings presented by Meiji Seika Pharma at ESCMID Global Congress 2026 are as follows: The Integral-2 study (jRCT2031230076) is a global Phase III clinical trial that enrolled patients with complicated urinary tract infections, acute uncomplicated pyelonephritis, hospital-acquired bacterial pneumonia, ventilator-associated bacterial pneumonia, or complicated intra-abdominal infections caused by carbapenem-resistant Gram-negative bacteria (excluding Acinetobacter species). The study has achieved the prespecified study objectives. For the primary endpoint of overall treatme

Yoshihiro Shimamura Joins the Marché du Film’s “Investors Circle 2026” as an Invited Investor, Backing a New Feature Film17.7.2026 03:00:00 CEST | Press release

Shimamura Yoshihiro Film Production Co., Ltd. (Head office: Osaka, Japan; Representative Director: Yoshihiro Shimamura), a company active in film production and investment, today announced that Representative Director Yoshihiro Shimamura has decided to invest in an international feature film after being invited to the “Investors Circle 2026” — a distinction that reflects his standing as one of the field’s most highly regarded producers and investors. Hosted by the Marché du Film, the business arm of the Festival de Cannes and one of the world’s largest film markets, the Investors Circle is an invitation-only summit that connects a select group of private investors with high-end feature films during early-stage financing. Held in Cannes, France, May 16-17, 2026, it brings internationally acclaimed directors and producers together with investors around a curated slate of projects in development. During the summit, Shimamura attended private pitching sessions and, after individual meeting

Takeda’s Zasocitinib Demonstrates Consistent, High Rates of Skin Clearance Across the Body, Including Hard-to-Treat and High-Impact Sites, in Phase 3 Psoriasis Studies17.7.2026 00:00:00 CEST | Press release

On average, about 75% of patients with scalp psoriasis treated with zasocitinib achieved clear or almost clear skin at week 16 Approximately 70% of patients with palmoplantar disease treated with zasocitinib achieved clear or almost clear skin at week 16 Zasocitinib demonstrated statistically significant improvements in Nail Psoriasis Severity Index (NAPSI) versus placebo Results reinforce the potential of zasocitinib to deliver rapid and durable skin clearance, including in the hardest-to-treat areas, in a convenient once-daily pill Takeda (TSE:4502/NYSE:TAK) announced new data from the two pivotal Phase 3 studies of zasocitinib (TAK-279), a next-generation, highly selective and potent oral tyrosine kinase 2 (TYK2) inhibitor, in adults with moderate-to-severe plaque psoriasis (PsO).1 Presented at the 2026 American Academy of Dermatology (AAD) Innovation Academy, these secondary endpoint data show that zasocitinib demonstrated consistent and high rates of skin clearance across hard-to-

Merz Completes Inaugural €450 Million Schuldschein Loan Issuance16.7.2026 23:36:00 CEST | Press release

Debut transaction more than three times oversubscribed The Merz Group has successfully completed its first-ever Schuldschein loan issuance, placing a total volume of €450 million in the debt capital market – a multiple of three relating to the launch volume. The debut transaction was significantly oversubscribed and attracted strong interest from all investor groups. The proceeds were settled and paid out today. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260716926041/en/ Dr. Almuth Steinkühler, Chief Financial Officer Merz Group The transaction comprises both fixed- and floating-rate tranches with maturities of three, five, seven, and ten years. Around 50 German and international investors participated, representing a broad range of institutions, including private banks, German federal state-owned banks, public savings banks, cooperative banks, pension funds and occupational pension institutions. With the successful plac

In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.

Visit our pressroom
World GlobeA line styled icon from Orion Icon Library.HiddenA line styled icon from Orion Icon Library.Eye