Where Are the Retail Industry’s Software Security Strengths and Weaknesses?

The retail industry’s reputation for providing software security has taken some hits over the years. The top 15 data breaches of the current century include Target in 2013, with account information on an estimated 110 million customers compromised; TJX in 2006, with 94 million credit cards exposed; and Home Depot in September 2014, with about 56 million customer credit/debit cards compromised.

SecurityScorecard’s 2018 Retail Cyber Security Report concluded that “although hackers have become increasingly clever with stealing credit card data, the retail industry is no better prepared to deal with the threat.” Of 18 industries analyzed, retail was “the second lowest performer in terms of application security, indicating a decrease from 2017’s Retail Report when it was the fourth lowest performer,” the report said.

Looking at the industry through another lens, there’s hard evidence that at least a portion of it is taking security seriously. Measuring its collective proficiency across a long list of software security activities, retail outpaces several other industries, including healthcare.

Retail Joins the BSIMM

Retail is the newest vertical to be studied in an annual industry report called the Building Security In Maturity Model (BSIMM). Launched in 2008, the BSIMM is a self-described measuring stick for software security. It's not a “how to” guide. Rather, it’s a “what’s happening now” guide that allows businesses to review the software security initiatives (SSIs) of others in their industry, and to see what's working or perhaps not working.

The latest report, BSIMM9, tracked the SSIs of 120 firms in eight industries, covering 116 activities they can implement to improve their software security. And it's not only participants that can compare their own SSIs with their peer companies. Anyone can. The data collected and organized are available for free to any business under the Creative Commons Attribution-Share Alike license.

What Insights Can Retailers Take From the Report?

For one, participating firms demonstrated significant progress in software security. A comparison of retail vs. “Earth” (the average of all BSIMM9 participants) showed superior performance in several security practices, were below average in only two, and close to average in the rest.

Also, the software security group (SSG) — the internal group responsible for SSIs — of participating companies in the retail vertical tended to be small (averaging around eight full-time people) and relatively new (average tenure of only 3.2 years).

Security Strengths in Retail

Of the practices where retailers rank ahead of Earth average, one is architecture analysis, which is focused in large part on design review of applications, especially high-risk applications. One of the core activities is to have experts — i.e., software architects — lead the design review effort.

Another is software environment, which includes application input monitoring, the use of application containers, and ensuring cloud security. And a third is configuration management and vulnerability management practices, which include tracking and fixing software bugs and having a rigorous incident response plan in place.

Security Weaknesses in Retail

The two practices where the retail industry came in below average were compliance and policy as well as security testing. The first is extremely important because it involves securing personally identifiable information (PII) of customers and demanding security from third-party vendors or partners. As recent history has shown, breaches that expose PII can have not only devastating legal and financial costs, but can lead to a loss of customer trust. And security testing is just what it says — it focuses on testing software for vulnerabilities during the entire development and quality assurance process of applications.

Other practices where retail tracked close to the average included training, code review, security testing, strategy and metrics, security features and design, attack models, standards and requirements, and penetration testing.

Retail’s Proactive Journey to Maturing its Software Security Stance

Retail’s overall superior performance compared to some other verticals (particularly healthcare) is likely the result of two factors. First, retailers have had the benefit of being able to use the BSIMM as a guiding “map” in the software security space.

As a late adopter, retail benefits from all the lessons that early adopters learned the hard way. Figuratively speaking, retail may have been able to accelerate quickly because it looked at the BSIMM map and decided to take the interstate in the right direction instead of a bunch of back roads in the wrong direction.

The second, more painful, reason could be described as “getting security religion the hard way.” Sadly, catastrophic data breaches, in which hackers exploit vulnerabilities in IT systems, are part of recent history in retail.

Strength in Numbers

Happily, two of those victims — Target and Home Depot — realized after some soul searching that they needed to clean up their act in a hurry and do better than simply check a compliance box. Both have joined the BSIMM community, where they're working to improve their security posture and build security in.

As is the case in any data-driven project, a more accurate, detailed picture of the retail sector will emerge as the number of retail firms in the study grows. BSIMM9 includes 50 financial services firms and 42 independent software vendors. Retail is likely to grow just as big.

The benefit to retailers goes beyond developing and mining collective data. The BSIMM community is a powerful resource, holding conferences, sharing best practices, and generally cutting through the BS in computer security. If you join the BSIMM, you’re going to get out more than you put in.

Taylor Armerding is a senior security strategist at Synopsys, the world’s most advanced tools for silicon chip design, verification, IP integration, and application security testing.