The Rush to Innovate in Retail Has Left Applications Increasingly Exposed to New Cybercrime Threats
The retail industry continues to transform at speed in response to almost three years of seismic market disruption, and it shows no signs of slowing down. From buy online, pick up in-store (BOPIS) services and QR codes to smart mirrors and immersive experiences (through augmented reality, virtual reality and the metaverse), retailers recognize the need to deliver ever more engaging and personalized experiences to shoppers.
However, while the scale and speed of digital transformation within retail over the last few years has been truly phenomenal, there's a widespread recognition amongst retailers that application security simply hasn’t kept pace. This now poses a significant challenge for business and IT leaders.
In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 92 percent of retail technologists admit that the rush to innovate during the pandemic has come at the expense of robust application security. There's also widespread concern that applications are increasingly susceptible to new and emerging cybersecurity threats — 82 percent of technologists in the sector feel that their organization is vulnerable to a multi-staged security attack that would affect the full application stack in the next 12 months.
In response, retailers need to adopt a new approach to application security that integrates security into the software development pipeline from day one, rather than it being an afterthought. This means shifting to a DevSecOps model in the IT department and ensuring that technologists have the unified visibility, insights and resources to identify and resolve security issues in real time across an increasingly dynamic and fragmented IT environment.
Technologists Ill-Equipped to Deal With Expansion in Attack Surfaces
Across the retail sector, technologists have accelerated adoption of cloud-native technologies, releasing ever more dynamic applications using low-code and no-code platforms. With the widespread adoption of multicloud environments, application components are increasingly run on a mix of platforms and on-premise databases, resulting in a dramatic expansion of attack surfaces. This is leaving major visibility gaps for IT teams and increasing the risk of a security event, with technologists unable to understand where new threats are coming from across a sprawling topology of applications.
Technologists are being bombarded with alerts from every corner of their IT estate, but they’re unable to cut through the data noise to analyze and prioritize issues based on their potential threat to customers and the business. As a result, IT teams report that they find themselves operating in "security limbo" because they don’t know where to focus their efforts.
A major problem for technologists is that their current security solutions work well in silos but not together, and they don’t provide a comprehensive view of their organization’s security posture. This means that IT teams can’t contextualize security issues based on potential business impact.
Additionally, there's a cultural conflict, where application security has generally been overlooked until the very end of the development pipeline. Development (DevOps) and security (SecOps) teams have operated in isolation, with very little collaboration unless a potential issue is identified — by which time it's often too late. Developers have actively avoided input from security colleagues due to fear it will slow-release velocity.
Of course, the potential consequences of this application security gap are profound, including service disruption and outages, which lead to poor shopper experience, reputational damage and lost revenue.
Retailers Must Embrace DevSecOps and a New Approach to Application Security
Given the expansion of attack surfaces and the dynamic nature of modern application stacks, retailers urgently need to integrate security testing from the outset of the development process. This means much closer collaboration across the IT department.
DevSecOps brings together DevOps and SecOps teams so that application security and compliance testing are incorporated into every stage of the application lifecycle, from planning through to shipping. By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release.
IT departments can avoid the current situation where security vulnerabilities are only addressed at the last minute before launch or identified after the application has already been released. Instead, security teams can analyze and assess security risks and priorities during planning phases to lay the foundation for smooth development. Indeed, when DevSecOps works well, it doesn’t slow down release velocity; it shatters the perception that security is an inhibitor of innovation.
Significantly, as many as 80 percent of technologists in the retail industry now regard DevSecOps as essential to effectively protect against a multi-staged security attack on the full application stack — more than in any other sector. And 44 percent of retail IT departments have already started taking a DevSecOps approach, with another 47 percent currently considering it.
DevSecOps involves major cultural change within the IT department, with technologists required to operate in a far more collaborative and transparent way, leaving behind entrenched mindsets and siloed working practices. It also requires the implementation of holistic monitoring systems which leverage artificial intelligence (AI) and machine learning technologies to cope with the spiraling volumes of security threats organizations are facing across an expanded attack surface.
This type of automation is essential to identify weaknesses, predict future vulnerabilities, and remediate issues. Once IT teams can teach AI tools to identify threats and resolve them independent of an admin, the benefits are game-changing — reduced human error, increased efficiency, and greater agility in development. Indeed, 80 percent of retail technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organization faces in application security — a higher number than any industry.
Technologists are urgently looking to transition to a security approach for the full application stack that delivers complete protection for their applications, from development through to production, across code, containers and Kubernetes. Alongside this, IT teams are looking to integrate performance and security monitoring with business transaction insights to understand how vulnerabilities and incidents could impact end users and the business. This means that they can prioritize those threats that could do serious damage to a business-critical area of the environment or application.
Application security must no longer be an afterthought within innovation programs. Retailers need to recognize it as a key element of the application lifecycle, and the foundation for accelerated digital transformation moving forward.
Gregg Ostrowski is the chief technology officer advisor at Cisco AppDynamics, an application performance management (APM) and IT operations analytics (ITOA) company.
Related story: How to Make Sure You and Your Apps Are Ready for the Holiday Season
Gregg Ostrowski is regional chief technology officer at AppDynamics, an application performance monitoring and management platform.
Gregg is a senior executive and thought leader with over 20 years’ experience in leadership positions for companies like Research in Motion and Samsung. He has worked with many F1000 customers, Government Agencies and partners on digital transformation, mobility application deployments, DevOps strategies, Analytics and high ROI business solutions.