As online retailers prepare for the upcoming holiday shopping season, security researchers are warning that cybercriminals will be on the prowl this year, with the added factor of the coronavirus pandemic pushing many Black Friday shoppers online.
Chris Eng, chief research officer with Veracode, warns that the deluge of in-person shoppers during the pandemic has pushed restaurants, boutique shops and other retailers to utilize new online software ecommerce platforms – but they aren’t prepared for implementing the correct security measures for them.
“Everybody’s becoming more dependent on software. And now they get to also have the challenges of securing that software that other companies have had before,” he said during this week’s Threatpost podcast.
Listen to the full Threatpost podcast, where Eng discusses the top threats and trends to expect during the online holiday retail season in 2020, as well as top takeaways from Veracode‘s State of Software Security, released on Tuesday.
Below find a lightly edited podcast transcript.
Lindsey O’Donnell Welch: Welcome back to another episode of the Threatpost podcast. This is Lindsey O’Donnell Welch with Threatpost. And I am joined today by Veracode chief research officer, Chris Eng, who is here to talk about retail application-security challenges and security advances in that area, as well as a new state of software security report by Veracode that was just released. So Chris, thank you so much for coming on to the show today.
Chris Eng: Great to be here.
LO: Great. So I really want to focus on the state of software security overall, but then also, the retail industry, especially with, Amazon Prime Day earlier in October, and then the holiday-season shopping kicking off with with Black Friday and Cyber Monday. How is retail security going to face different challenges this year, with how applications are being used and being vulnerable and things like that? But before we discuss that, do you want to talk a little bit about the state of software security report and some of the big takeaways and trends that you saw there?
CE: Yeah, sure, happy to. So this is a report that Veracode releases every year, and the data set gets bigger every year, because we use our customer data, to basically find some of the trends that are happening in the application-security space, because of where we are as a cloud service, we have access to all that data. And so we can slice and dice it in many different ways and ask interesting questions about what’s happening out there. And so this time, for example, we looked at 130,000 active applications that are being developed across the world in different industries, and we really wanted to focus in this year on the theme that we ended up with is “nature versus nurture.” And in other words, you know, what do you control? And what don’t you control? When you think about the vulnerabilities that you have in your applications? And how long it takes to fix those? And to what extent you actually get after those? What can you control? And we thought that was an interesting question to ask, because we had found in previous reports that, for example, customers that scan more frequently, actually reduce their security debt much faster and much more efficiently than those that didn’t. And so we said, well, what what other factors are there? And so that’s, that’s something that when we looked at it, we thought about certain things that you just inherit, right? There’s certain things that you don’t really control, you don’t control the size of your organization, the size of your application, the amount of security debt that you inherit, that’s kind of like your nature, right? But then there are things that you do control, you control, how frequently you scan, what types of scanning that you use, different technologies, how regular your scan cadence is. Is it bursty, is it irregular versus regular? And basically in a nutshell, we found that all these things that you do control, can actually improve your fixed time significantly – Even if you’re dropped into like a bad environment. Even if you’re dropped into, an old, crusty legacy application in a slow moving organization with a high amount of security debt. There’s still things that you can do as developer to improve the overall security the application so I thought that was a really, really cool finding, to kind of isolate all these different factors and kind of show the correlation there.
LO: Yeah, I think that is a really good way to put it, that “nature versus nurture” outlook there. And, you know, when you’re looking at what developers can do, especially if they are working with a legacy application, or maybe an organization that is massive, or that might not have the right security controls in place, what were some of the top things that you’re seeing, that developers can do to really try to improve that security posture there?
CE: Yeah, we found that, you know, scanning frequently and using automation to do that, was a big factor. And this was kind of building on something that we had observed last time around when we did this report. That, if you’ve got this kind of baked into the way that you’re developing software, it just becomes a habit, right? It’s something that nobody has to go out of their way to actually take an extra step to do, it just happens, right? So if I set up my build system, or my code repository, so that whenever somebody tries to merge in some new code, it runs the security testing alongside their unit tests, or their other QA testing, and just doesn’t let them kind of move forward unless they fix those bugs, you’re actually fixing stuff earlier than you would otherwise. We also found – kind of interesting – that if you’re using other security testing techniques, other than our primary one, which is static analysis, we also have dynamic analysis, and we have software component analysis. And the thing is, if you use those other techniques, in addition to the basic static analysis, that also correlates with faster fix times, which is a little bit counterintuitive at first, right? You’re thinking well, you’re going to have more findings, so doesn’t that mean things will slow down? But it actually we saw that when customers were doing dynamic scanning alongside static, that correlated to a 24 day increase – well, 24 days faster in getting things fixed. So those are really, really interesting finding that came out that we really didn’t expect.
LO: Right, right. And I’m also curious, what are, are you still seeing in terms of the top challenges and threats that software developers are facing? Are you seeing that to be consistent with previous years? Are you seeing any sort of trends or changes there? I know that previously, at least for applications, we’ve seen a lot of cross-site scripting and credential-management flaws and things like that. What did you see this past year?
CE: Yep, you got it, the same old categories are still coming up. And, you know, ever since the beginning of since we’ve been reporting on this, you know, you still see the SQL injection, you still see the cross site scripting, information leakage, cryptographic issues, the things that we’ve known about for 10, 20 years now. And we know how to fix, right? As security practitioners, we know how to fix them. But, you know, I think oftentimes, that even still, today, that knowledge is not getting into developer curriculum. So you know, developers are coming in, they’re not really, first of all, they don’t have the knowledge of how to avoid these types of issues. And then later, someone’s actually telling them to fix these issues, when they really don’t have a good grounding in the impact and what they did right versus wrong. And so it’s not too surprising that you see the same categories come up, over and over again; most of these are kind of decreasing in prevalence, slightly over time. But what also happens is, there are more new languages that crop up, there’s new frameworks, people are using these, you know, new libraries. And as we get used to kind of fixing the, the older mistakes, there’s all these new ways to make the same types of mistakes, which sounds like a pretty negative picture, but, I’ve never really seen an entire category of flaw get eradicated, that just doesn’t really happen. So we do have to do better at that. And, we can at least focus on, let’s knock out this stuff quicker. And eventually, we start to form habits around that and learn how to avoid them, maybe that at some point in the future, we can we can eradicate some of these.
LO: Right. That’s a really good point. And, you know, cybercriminals are always going to go for kind of those low-hanging fruit vulnerabilities also, so they’re always going to be there and to make systems vulnerable, in terms of, you know, attackers targeting them as well.
CE: Yeah, they know how to do that, right, some of the most prominent breaches have come from application security vulnerabilities that we know how to prevent right? At least in theory, but they’re still out there, right? We still see SQL injection all over the place. And we know that leads to so many credential dumps or credit card dumps and things like that, at some very big companies.
LO: Right, right. And I also want to ask, too, I mean, we have been dealing with this pandemic over the past year. Have you seen any sort of effect of that on the state of software security? Or, I’m not sure, whether it’s cyber criminals kind of looking for more vulnerable endpoints or different flaws, or whether it’s kind of a decrease of security itself, secure measures? Not sure what you’re seeing there?
CE: Right, right. Yeah, I mean, just from a general overall perspective, and not so much, you know, from this data set, but like, I would definitely say, anecdotally, like phishing is on the rise, because everybody’s working from home, everyone is now getting into this mode, where they’re expecting things to come at them, from different places, they’re getting information in different ways, right. And so I think some of the cyber criminals are really taking advantage that, I’ve seen anecdotally an uptick in phishing, at least, in organizations, and I’ve heard others are seeing kind of the same.
We were definitely interested in kind of seeing what the effects of remote work have had on security scanning – has that picked up, has that dropped off? Have fixed times gotten better or worse, like how productive are people being in that capacity? And we are both going to have to wait till the next report for that. Because the the end date of the window for the data set that went into this report was March 31. And so it was one year worth of data ending March 31. And that’s when we kind of started doing our analysis for this. And so we, America, we started working remotely, March 13. I think most companies were doing it at some point in March. So we really haven’t had the data yet to be able to see like, what exactly is that is that having? Now as we’ve gone in kind of ad hoc, and kind of looked at customer activity, we haven’t really seen any fall off in activity. But I also haven’t seen like a significant uptick. I mean, everyone’s still developing software, I mean, the nature of business isn’t changing, everyone’s still running their businesses on software. So we wouldn’t expect to see a huge fall off there. But I think it’s gonna be really interesting, once we actually get a full year of this data, or hopefully less, things have to get back to normal, but we’ll actually kind of be able to see, like, did that, like massive change? And how we work affects security in a good way or bad way?
LO: Right, right. I think everyone’s kind of waiting to see in that regard. But to your point about the phishing attacks and other types of attacks that we’re seeing, that are more kind of email based, I think that those have definitely also become more sophisticated, whether it was the initial kind of healthcare research lure that we saw with the breakout of COVID, or, more recently, you know, it’s more about U.S. elections or things like that. And with the retail holiday shopping season upon us, I think that those are also, you know, evolving in that direction, as well. And so, I mean, looking at retail security, and how retail Application Security fits into that. I’m curious what you’re seeing there, with Black Friday and Cyber Monday up on the horizon.
CE: Yeah, you know, when we look at retail, when we slice out the retail data that we have, and compare them against other industries. There’s a few things that, that stick out, obviously they have the same types of issues as everybody else, right, software developers, obviously move between industries and kind of make the same same types of mistakes and so we don’t see a major variation in in the types of issues that we’re seeing in retail. Slight variations, right? Information leakage slightly lower cryptographic issues slightly higher, but for the most part, things are within, three to five percentage points plus or minus. And so that’s not really the most interesting part of the story. We do see that in retail, when we think about the half life of the flaws – when I talk about a half life, it’s like, how long does it take you to fix half of the flaws? Retail actually comes out on top. 125 days, is there is their half life, which sounds pretty bad, right? That’s several months. But that it’s significantly better than than some of the other industries we looked at. So we’d see that they’re responding more rapidly than other industries are. And I think, you could attribute that to just, they have to respond more quickly to consumers, than some of these other industries might might have to do, right. Obviously, there’s consumers involved in all of them. But if you think about using a retail site, and the increased dependence that people are going to be having on shopping online, or just getting things done online versus going places now. It’s not surprising, that kind of customer focus that you see there, so I thought that was interesting that they stood so far so far, apart from some of the other industries, like the worst, the worst performing industry, was 297 days and a half life. So that’s like more than double. That was manufacturing, I think. So we see them as suffering from the same types of issues, the same concerns, the same challenges, as other industries, but in some senses, getting after it a little bit better.
LO: And that’s pretty promising too, just, especially over the past year, I feel like there has been kind of shifting trends in the landscape that have led to a lot more online shopping from consumers. And even, you know, during the pandemic, if I needed, shampoo or hand sanitizer, or something, I would go to Amazon, and you know, I’m not going to the store.
CE: Right, exactly, I ordered like duct tape on Amazon the other day, instead of going to the hardware store. So like the dependence on all these things is going up. And I think you’re also seeing more innovation, right, you’re seeing I don’t know, you’re seeing more services or, or businesses that weren’t online before at all that avoided it, moving more towards online, like, for example, like a lot of restaurants, that, previously, were the type that you know, you just have to go stand in line, and there’s no reservations, and you can’t get anything, you know, takeout, you can’t order anything ahead of time – have had to move very quickly, to being able to do a lot of those things to and to have this dependence on, you know, building software, or in a lot of cases, just, you know, using somebody else’s software, to be able to enable those capabilities, right. So there’s suddenly this big dependence on, on software that’s running those types of activities that probably – I’d love to see the stats on this, I’d love to see the business, the revenue increase on companies like Talk and like Toast and things like that, right? Everyone is just like, suddenly, this is the only way to conduct businesses as the only way to stay afloat. And so I think you’re going to be seeing that, I think you’ll see that also in not just restaurants, but in other parts of the retail sector, where suddenly you have to enable online shopping, curbside pickup, that sort of thing, when you might have been able to avoid that before. So everybody’s becoming more dependent on software. And, and now they get to also have the challenges of securing that software that other companies have had before.
LO: Right. Right. And, you know, speaking of challenges, can you talk a little bit about the top challenges that these, you know, maybe retailers who are trying to adapt to this new landscape might be facing in securing customer data and their, their software, and, you know, what they’re up against, and in terms of the top threats of cyber criminals and different types of attacks?
CE: With consumer stuff, a lot of it just comes down to protecting customer information, cardholder data, all of the things that we read about, leaking, whenever there’s a major breach. And if a company is kind of starting from scratch and developing their own systems, and they haven’t had to do this kind of thing before. I think that’s a big potential pitfall because they haven’t really given any thought to how do they protect this type of data online, how are they storing it? How are they transmitting it? How long do they have to keep it? What are the privacy implications? These are all things that if you’ve been doing this for a while, you’ve learned how to how to do over time, you’ve learned what’s kind of required from a regulatory standpoint, PCI, and so on. And you’ve got more catching up to do if you’re kind of building a lot of this yourself. Now, if you’re going in, and you’re relying on like a third party provider, that’s already been in the space, I think you’re able to do that a lot more safely, right? Like I mentioned, if you’re bringing your reservations online to talk and you’re ordering through Toast, and you’re processing payments through Square or Stripe, or something like that, like you’re not, you’re not building all this stuff yourself, right. And you’re interesting that vendor, to do the right things as far as protecting your data, your customers data and keeping it segregated from other customers’ data, make sure it making sure it doesn’t leak. And there’s more experience in those types of companies, but that’s going to create, I think, increased pressure on vendors in general, right, that we’re outsourcing these things to, to kind of attest to what measures they’re taking to do that protection, it’s just kind of like, it’s kind of the same as you know, when we build software ourselves, and we use open-source libraries to do that, we’re not immune to any vulnerabilities that may come up as a part of using those libraries. Same thing here, right? If I entrust the processing of certain data to some other company, I still have to account for that risk, right? If my customer’s credit card is leaked, in some sort of breach, that customer doesn’t care that it happened, because I wrote code or because somebody else wrote code, right? They just care that they have fraudulent charges. And so you have to think about and make sure that the vendors that you’re using are also taking the right measures from a security perspective, because that then impacts you.
LO: Right, right. And I know like that, that’s something that definitely takes a lot of companies by surprise, and they really don’t think about but you know, if you look at, for instance, like the Target breach that stemmed from an HVAC system and yet Target was the one that kind of held the brunt of the blowback there just because it was a big brand.
CE: Right, they took the hit, right? Nobody outside of the security industry is going to be able to tell you that it was a flaw, like an application security flaw in like the that a web application on by the HVAC company, right. Nobody knows that. So yeah, perfect example. So you kind of have to think about all the dependencies, and that they’re using that you’re using to, to run your business and kind of this new era. And I think for every business that’s going to increase.
LO: So Chris, before we wrap up, I just want to ask, if you have any other kind of big takeaways that you want to highlight from Veracode’s state of software security report, anything that really sticks out to you that you want to leave listeners with?
CE: Yeah, I think that, you know, kind of going back to what I was talking about, how we isolated kind of those things that you can control and those things that you don’t, I think the big takeaway for me was that oftentimes, if you’re a developer and you come into this environment, where you just have all this, like, security, debt or technical debt, and it just seems overwhelming, right? You’re like, how am I ever going to dig out of this, it just seems like so much. And your company’s only budgeting a certain amount of time and effort to, to work on things like that. It was good to find out that kind of even in the most challenging environments, the biggest applications, the craftiest applications, the big, slow moving corporate culture, that there were specific actions that you could take as developer to improve the overall security of that application, right? Things that I control, like the scan frequency, the scan cadence, using automation, and API’s using additional testing techniques, those are all things that move the needle, those are all things that correlated with faster fixed times. So no matter what environment I’m dropped into, whether it’s it’s a good fast moving one where things are just kind of moving like clockwork, or if it’s the opposite of that. The actions that I take can still have positive outcomes on the security of that application. I think, it seems very rare these days to have like, a positive outcome when we look at security data, but but I think that was a really good one. Um, so I was happy to see that.
LO: Yeah, I really think that’s a good point to make, because I do think, you know, for developers or for, you know, system admins or anyone, really, I’m in the security space. There’s just so much out there in terms of threats. And going back to the “nature versus nurture” point that you made in the beginning of the podcast. There seems to be so much out of control there. But I think it’s really important to highlight what can be done and how that’s going to help improve security measures. So yeah, I appreciate you making that point. So, Chris, with that, thank you so much for coming on to the Threatpost podcast today to talk about the state of software and retail application security.
CE: Yeah, my pleasure. Great talking to you.
LO: Great. And to all of our listeners. Thank you for tuning in to this week’s episode of the threat post podcast. Once again, I’m Lindsey O’Donnell Welch with Threatpost here with Chris Eng with Vera code, and we look forward to having you tune in for next week.