Business Wire

73 Percent of Retail Applications Contain Security Flaws, but Only a Quarter Are Fixed


Veracode, a leading global provider of modern application security testing solutions, today revealed that almost three-quarters of applications in the retail & hospitality sector contain security flaws, but only 25 percent of these are fixed. Furthermore, 17 percent of these flaws are categorized as ‘high severity’, meaning they pose a serious risk to the business if exploited. With 76 percent of Americans planning to shop the Black Friday sales on 25 November*—and 56 percent planning to purchase entirely online**— retailers should take extra care to reinforce the security of their ecommerce systems, digital payment platforms, and supply chains.

The data was published in Veracode’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the retail, manufacturing, healthcare, financial services, technology, and government sectors.

Chris Eng, Chief Research Officer at Veracode, said, “Maintaining customer loyalty and trust is priority number one for retailers, and this will be heightened during the Black Friday period. With the average cost of a data breach in the retail sector calculated at $3.28 million***, implementing robust tools and practices to secure the applications customers use to browse and make purchases is imperative.”

Despite the relatively low number of flaws that are fixed, the retail industry takes second place for overall remediation rate, highlighting the need for software security improvements from organizations across all sectors. Eng said, “Compared with other sectors, retailers are better at fixing flaws when they’re discovered. While this is encouraging, it’s clear more needs to be done across the board to integrate flaw identification and remediation into the software development pipeline so that vulnerabilities can be addressed more efficiently.”

Server configuration, insecure dependencies, and authentication issues are the most common types of application flaws across most industries. The retail & hospitality sector follows a similar pattern; however, the sector has higher percentages in nearly every flaw category—perhaps due to the greater functional complexity of customer-facing and back-office applications.

Flaw Fix Times Fluctuate in Retail

Veracode analyzed three different scan types to generate industry comparisons for fix times: dynamic analysis security testing (DAST), static analysis security testing (SAST), and software composition analysis (SCA). Retailers were found to be the quickest to address flaws discovered by DAST, at 70 days to reach the halfway point, which is a staggering 46 days faster than financial services in second place. When it came to SAST and SCA, however, the retail sector fell to the middle of the pack, taking 346 days and 470 days respectively to reach the halfway fix point.

Across all industries, flaws in third-party libraries discovered through SCA persist for longer than those found through SAST and DAST, with 30 percent of vulnerable libraries still unresolved after two years. For the retail sector, that statistic rises to 35 percent and lags the cross-industry average by more than six months. Nevertheless, retailers should be assured that the gap is never too wide to close. Indeed, Veracode’s 2021 State of Software Security report found 92 percent of open-source flaws can be easily fixed with a simple update, which is good news for retailers looking to secure their software supply chains.

In the run-up to Black Friday, and nearly one year since the infamous Log4j vulnerability was first reported, retailers will be on high alert to maintain the speed, efficiency, and security of their applications. Businesses should take extra care to uncover vulnerabilities in third-party software using a combination of SCA and development tools. Using this approach with Veracode, Darius Radford, Application Security Architect at specialty retailer Floor & Decor, was able to get a comprehensive view of risk posed by vulnerable libraries in the company’s software: “We were able to quickly figure out all the places running Log4j and remediate the situation.” Trey Tunnel, Floor and Decor’s Chief Information Security Officer, added, “Our customers are our top priority. With Veracode, we have the confidence that our software is secure and—more importantly—our customers have the confidence that our software is secure.”

The Veracode State of Software Security v12 retail & hospitality snapshot is available to download here and the full report is available here.

* Future Publishing, “Exploring the impact of rising inflation”, June 2022,
** Dot Digital, “Black Friday Stats: Everything You Need to Know (updated 2022), Jenna Paton, 20 September 2022,
*** IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”, July 2022,

About the State of Software Security Report

The Veracode State of Software Security (SoSS) v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.

The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.

About Veracode

Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at, on the Veracode blog and on Twitter.

Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

To view this piece of content from, please give your consent at the top of this page.

Contact information

Katy Gwilliam

About Business Wire

Business Wire
Business Wire
24 Martin Lane
EC4R 0DR London

+44 20 7626 1982

(c) 2018 Business Wire, Inc., All rights reserved.

Business Wire, a Berkshire Hathaway company, is the global leader in multiplatform press release distribution.

Subscribe to releases from Business Wire

Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from Business Wire

BLUETTI Opens First Flagship Store in Munich, Germany for Hands-on Experience3.12.2022 10:40:00 CET | Press release

To enhance the user experience, BLUETTI, a top-three solar generator brand, has opened its first physical storefront in Munich, Germany, on November 4. This press release features multimedia. View the full release here: (Photo: Business Wire) This so-called WOC X BLUETTI store is set up as a physical hub of what the brand represents online. It showcases BLUETTI's entire product range, from the latest releases to iconic models, along with other accessories. Customers can get a real feel for products before making any purchases. However, it does not currently offer repair services. BLUETTI's new inventions, the AC500&B300S and EP600&B500, are already displayed there. Both are modular in design and substantially updated in capacity and capability. With a 5.000W output and 16 outlets, the AC500 can be used as a solid backup power source on the go or in the house. Sporting a max capacity of 80kWh, the EP600 can be integrated into exi

Esri Named a Leader in 2022 Climate Risk Analytics Report by Independent Research Firm2.12.2022 16:42:00 CET | Press release

Organizations are using modern geographic information system (GIS) technology to better understand the risks presented by climate change and take action. With GIS-driven mapping, analytics, and visualization, leaders can weigh the costs and benefits of plans, mitigate climate-related damage to assets, and make sustainable decisions despite an unpredictable planet. Esri—the global leader in GIS used by many Fortune 500 companies and governments worldwide to improve these sustainability practices—has been recognized by independent research firm Forrester in its report, The Forrester New Wave™: Climate Risk Analytics, Q4 2022. In the report, authored by principal analyst Renee Murphy, Esri received a differentiated rating, the highest score possible, in nine out of ten criteria, including “Advanced Data Processing,” “Visualization,” and “Threat Modeling.” The Forrester report says Esri “offers leading data visualization and advanced processing capabilities,” and that “Esri’s platform acts

Huawei Publishes First White Paper on Approaches to Fairness, Equity & Opportunity2.12.2022 04:07:00 CET | Press release

Huawei called on the ICT industry players to create a level playing field for all people, not just their own employees in its first White Paper on Approaches to Fairness, Equity & Opportunity at their Women in Tech event held at the Peter Drucker Forum. This press release features multimedia. View the full release here: (Graphic: Business Wire) This White Paper is part of Huawei's ongoing campaign aimed at increasing digital skills education and access for women across the world. Huawei, like many other companies within the ICT industry, has advocated on fairness, opportunity, and equity within their own operations. Notably, the company has taken measurable steps to increase diversity in their workforce and increase internal representation of marginalized groups. It is widely understood that significant, tangible results from such programs are often slow to materialize. And thus Huawei has focused many of its efforts beyond the

H&M and Webhelp Finalize Acquisition of H&M’s Nuremberg Customer Service Center1.12.2022 16:29:00 CET | Press release

The responsible authorities have officially approved the transfer of fashion brand H&M’s Nuremberg customer service center to Webhelp, a leading global customer experience BPO player. The companies, having already signed an agreement in this regard on 19 October 2022, will see Webhelp operate the service center from 1 December onwards under its own name. With this acquisition, Webhelp doubles the number of its employees in Nuremburg and is now one of the largest employers in the industry in northern Bavaria. Today, Webhelp employs more than 110,000 employees in over 60 countries. Webhelp's German headquarters in Nuremberg already provides an attractive working environment with state-of-the-art technical equipment for over 500 employees. Furthermore, Webhelp is committed to investing in the development and wellbeing of its customer advisors, known as 'game-changers,' around the world. Webhelp will welcome the 500 employees of the H&M Service center from today, 1 December, to the Webhelp

Morgan Stanley Sustainable Signals: New Survey Shows Opportunities Exist for Asset Managers to Better Meet Asset Owner Sustainable Investing Needs1.12.2022 16:00:00 CET | Press release

Asset managers have the opportunity to meet asset owners’ growing demands for sustainable investment practices, products and reporting, according to new research by the Morgan Stanley Institute for Sustainable Investing. The latest in the Firm’s Sustainable Signals series, this institutional investor survey polled 110 asset owners in North America, Europe and Asia, as well as 201 asset managers across the same regions to understand what asset owners want and what asset managers are offering—and where the gaps lie in delivering environmental, social and governance (ESG) solutions. “The results of our latest Sustainable Signals survey show that sustainable investing remains an important focus area for institutional investors globally, with the vast majority reporting an increased interest over the past two years,” said Jessica Alsford, Chief Sustainability Officer and CEO of the Institute for Sustainable Investing at Morgan Stanley. “At the same time, our findings show a significant oppo