As online retailers prepare for the upcoming holiday shopping season, security researchers are warning that cybercriminals will be on the prowl this year, with the added factor of the coronavirus pandemic pushing many Black Friday shoppers online.
Chris Eng, chief research officer with Veracode, warns that the deluge of in-person shoppers during the pandemic has pushed restaurants, boutique shops and other retailers to utilize new online software ecommerce platforms â but they arenât prepared for implementing the correct security measures for them.
âEverybodyâs becoming more dependent on software. And now they get to also have the challenges of securing that software that other companies have had before,â he said during this weekâs Threatpost podcast.
Listen to the full Threatpost podcast, where Eng discusses the top threats and trends to expect during the online holiday retail season in 2020, as well as top takeaways from Veracodeâs State of Software Security, released on Tuesday.
For the full podcast, listen below or download here.
[
](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/16554005/height/90/theme/custom/thumbnail/yes/direction/backward/render-playlist/no/custom-color/87A93A/%20height=90%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)
Below find a lightly edited podcast transcript.
Lindsey OâDonnell Welch: Welcome back to another episode of the Threatpost podcast. This is Lindsey OâDonnell Welch with Threatpost. And I am joined today by Veracode chief research officer, Chris Eng, who is here to talk about retail application-security challenges and security advances in that area, as well as a new state of software security report by Veracode that was just released. So Chris, thank you so much for coming on to the show today.
Chris Eng: Great to be here.
LO: Great. So I really want to focus on the state of software security overall, but then also, the retail industry, especially with, Amazon Prime Day earlier in October, and then the holiday-season shopping kicking off with with Black Friday and Cyber Monday. How is retail security going to face different challenges this year, with how applications are being used and being vulnerable and things like that? But before we discuss that, do you want to talk a little bit about the state of software security report and some of the big takeaways and trends that you saw there?
CE: Yeah, sure, happy to. So this is a report that Veracode releases every year, and the data set gets bigger every year, because we use our customer data, to basically find some of the trends that are happening in the application-security space, because of where we are as a cloud service, we have access to all that data. And so we can slice and dice it in many different ways and ask interesting questions about whatâs happening out there. And so this time, for example, we looked at 130,000 active applications that are being developed across the world in different industries, and we really wanted to focus in this year on the theme that we ended up with is ânature versus nurture.â And in other words, you know, what do you control? And what donât you control? When you think about the vulnerabilities that you have in your applications? And how long it takes to fix those? And to what extent you actually get after those? What can you control? And we thought that was an interesting question to ask, because we had found in previous reports that, for example, customers that scan more frequently, actually reduce their security debt much faster and much more efficiently than those that didnât. And so we said, well, what what other factors are there? And so thatâs, thatâs something that when we looked at it, we thought about certain things that you just inherit, right? Thereâs certain things that you donât really control, you donât control the size of your organization, the size of your application, the amount of security debt that you inherit, thatâs kind of like your nature, right? But then there are things that you do control, you control, how frequently you scan, what types of scanning that you use, different technologies, how regular your scan cadence is. Is it bursty, is it irregular versus regular? And basically in a nutshell, we found that all these things that you do control, can actually improve your fixed time significantly â Even if youâre dropped into like a bad environment. Even if youâre dropped into, an old, crusty legacy application in a slow moving organization with a high amount of security debt. Thereâs still things that you can do as developer to improve the overall security the application so I thought that was a really, really cool finding, to kind of isolate all these different factors and kind of show the correlation there.
LO: Yeah, I think that is a really good way to put it, that ânature versus nurtureâ outlook there. And, you know, when youâre looking at what developers can do, especially if they are working with a legacy application, or maybe an organization that is massive, or that might not have the right security controls in place, what were some of the top things that youâre seeing, that developers can do to really try to improve that security posture there?
**CE:**Yeah, we found that, you know, scanning frequently and using automation to do that, was a big factor. And this was kind of building on something that we had observed last time around when we did this report. That, if youâve got this kind of baked into the way that youâre developing software, it just becomes a habit, right? Itâs something that nobody has to go out of their way to actually take an extra step to do, it just happens, right? So if I set up my build system, or my code repository, so that whenever somebody tries to merge in some new code, it runs the security testing alongside their unit tests, or their other QA testing, and just doesnât let them kind of move forward unless they fix those bugs, youâre actually fixing stuff earlier than you would otherwise. We also found â kind of interesting â that if youâre using other security testing techniques, other than our primary one, which is static analysis, we also have dynamic analysis, and we have software component analysis. And the thing is, if you use those other techniques, in addition to the basic static analysis, that also correlates with faster fix times, which is a little bit counterintuitive at first, right? Youâre thinking well, youâre going to have more findings, so doesnât that mean things will slow down? But it actually we saw that when customers were doing dynamic scanning alongside static, that correlated to a 24 day increase â well, 24 days faster in getting things fixed. So those are really, really interesting finding that came out that we really didnât expect.
**LO:**Right, right. And Iâm also curious, what are, are you still seeing in terms of the top challenges and threats that software developers are facing? Are you seeing that to be consistent with previous years? Are you seeing any sort of trends or changes there? I know that previously, at least for applications, weâve seen a lot of cross-site scripting and credential-management flaws and things like that. What did you see this past year?
CE: Yep, you got it, the same old categories are still coming up. And, you know, ever since the beginning of since weâve been reporting on this, you know, you still see the SQL injection, you still see the cross site scripting, information leakage, cryptographic issues, the things that weâve known about for 10, 20 years now. And we know how to fix, right? As security practitioners, we know how to fix them. But, you know, I think oftentimes, that even still, today, that knowledge is not getting into developer curriculum. So you know, developers are coming in, theyâre not really, first of all, they donât have the knowledge of how to avoid these types of issues. And then later, someoneâs actually telling them to fix these issues, when they really donât have a good grounding in the impact and what they did right versus wrong. And so itâs not too surprising that you see the same categories come up, over and over again; most of these are kind of decreasing in prevalence, slightly over time. But what also happens is, there are more new languages that crop up, thereâs new frameworks, people are using these, you know, new libraries. And as we get used to kind of fixing the, the older mistakes, thereâs all these new ways to make the same types of mistakes, which sounds like a pretty negative picture, but, Iâve never really seen an entire category of flaw get eradicated, that just doesnât really happen. So we do have to do better at that. And, we can at least focus on, letâs knock out this stuff quicker. And eventually, we start to form habits around that and learn how to avoid them, maybe that at some point in the future, we can we can eradicate some of these.
LO: Right. Thatâs a really good point. And, you know, cybercriminals are always going to go for kind of those low-hanging fruit vulnerabilities also, so theyâre always going to be there and to make systems vulnerable, in terms of, you know, attackers targeting them as well.
CE: Yeah, they know how to do that, right, some of the most prominent breaches have come from application security vulnerabilities that we know how to prevent right? At least in theory, but theyâre still out there, right? We still see SQL injection all over the place. And we know that leads to so many credential dumps or credit card dumps and things like that, at some very big companies.
LO: Right, right. And I also want to ask, too, I mean, we have been dealing with this pandemic over the past year. Have you seen any sort of effect of that on the state of software security? Or, Iâm not sure, whether itâs cyber criminals kind of looking for more vulnerable endpoints or different flaws, or whether itâs kind of a decrease of security itself, secure measures? Not sure what youâre seeing there?
CE: Right, right. Yeah, I mean, just from a general overall perspective, and not so much, you know, from this data set, but like, I would definitely say, anecdotally, like phishing is on the rise, because everybodyâs working from home, everyone is now getting into this mode, where theyâre expecting things to come at them, from different places, theyâre getting information in different ways, right. And so I think some of the cyber criminals are really taking advantage that, Iâve seen anecdotally an uptick in phishing, at least, in organizations, and Iâve heard others are seeing kind of the same.
We were definitely interested in kind of seeing what the effects of remote work have had on security scanning â has that picked up, has that dropped off? Have fixed times gotten better or worse, like how productive are people being in that capacity? And we are both going to have to wait till the next report for that. Because the the end date of the window for the data set that went into this report was March 31. And so it was one year worth of data ending March 31. And thatâs when we kind of started doing our analysis for this. And so we, America, we started working remotely, March 13. I think most companies were doing it at some point in March. So we really havenât had the data yet to be able to see like, what exactly is that is that having? Now as weâve gone in kind of ad hoc, and kind of looked at customer activity, we havenât really seen any fall off in activity. But I also havenât seen like a significant uptick. I mean, everyoneâs still developing software, I mean, the nature of business isnât changing, everyoneâs still running their businesses on software. So we wouldnât expect to see a huge fall off there. But I think itâs gonna be really interesting, once we actually get a full year of this data, or hopefully less, things have to get back to normal, but weâll actually kind of be able to see, like, did that, like massive change? And how we work affects security in a good way or bad way?
LO: Right, right. I think everyoneâs kind of waiting to see in that regard. But to your point about the phishing attacks and other types of attacks that weâre seeing, that are more kind of email based, I think that those have definitely also become more sophisticated, whether it was the initial kind of healthcare research lure that we saw with the breakout of COVID, or, more recently, you know, itâs more about U.S. elections or things like that. And with the retail holiday shopping season upon us, I think that those are also, you know, evolving in that direction, as well. And so, I mean, looking at retail security, and how retail Application Security fits into that. Iâm curious what youâre seeing there, with Black Friday and Cyber Monday up on the horizon.
CE: Yeah, you know, when we look at retail, when we slice out the retail data that we have, and compare them against other industries. Thereâs a few things that, that stick out, obviously they have the same types of issues as everybody else, right, software developers, obviously move between industries and kind of make the same same types of mistakes and so we donât see a major variation in in the types of issues that weâre seeing in retail. Slight variations, right? Information leakage slightly lower cryptographic issues slightly higher, but for the most part, things are within, three to five percentage points plus or minus. And so thatâs not really the most interesting part of the story. We do see that in retail, when we think about the half life of the flaws â when I talk about a half life, itâs like, how long does it take you to fix half of the flaws? Retail actually comes out on top. 125 days, is there is their half life, which sounds pretty bad, right? Thatâs several months. But that itâs significantly better than than some of the other industries we looked at. So weâd see that theyâre responding more rapidly than other industries are. And I think, you could attribute that to just, they have to respond more quickly to consumers, than some of these other industries might might have to do, right. Obviously, thereâs consumers involved in all of them. But if you think about using a retail site, and the increased dependence that people are going to be having on shopping online, or just getting things done online versus going places now. Itâs not surprising, that kind of customer focus that you see there, so I thought that was interesting that they stood so far so far, apart from some of the other industries, like the worst, the worst performing industry, was 297 days and a half life. So thatâs like more than double. That was manufacturing, I think. So we see them as suffering from the same types of issues, the same concerns, the same challenges, as other industries, but in some senses, getting after it a little bit better.
LO: And thatâs pretty promising too, just, especially over the past year, I feel like there has been kind of shifting trends in the landscape that have led to a lot more online shopping from consumers. And even, you know, during the pandemic, if I needed, shampoo or hand sanitizer, or something, I would go to Amazon, and you know, Iâm not going to the store.
CE: Right, exactly, I ordered like duct tape on Amazon the other day, instead of going to the hardware store. So like the dependence on all these things is going up. And I think youâre also seeing more innovation, right, youâre seeing I donât know, youâre seeing more services or, or businesses that werenât online before at all that avoided it, moving more towards online, like, for example, like a lot of restaurants, that, previously, were the type that you know, you just have to go stand in line, and thereâs no reservations, and you canât get anything, you know, takeout, you canât order anything ahead of time â have had to move very quickly, to being able to do a lot of those things to and to have this dependence on, you know, building software, or in a lot of cases, just, you know, using somebody elseâs software, to be able to enable those capabilities, right. So thereâs suddenly this big dependence on, on software thatâs running those types of activities that probably â Iâd love to see the stats on this, Iâd love to see the business, the revenue increase on companies like Talk and like Toast and things like that, right? Everyone is just like, suddenly, this is the only way to conduct businesses as the only way to stay afloat. And so I think youâre going to be seeing that, I think youâll see that also in not just restaurants, but in other parts of the retail sector, where suddenly you have to enable online shopping, curbside pickup, that sort of thing, when you might have been able to avoid that before. So everybodyâs becoming more dependent on software. And, and now they get to also have the challenges of securing that software that other companies have had before.
**LO:**Right. Right. And, you know, speaking of challenges, can you talk a little bit about the top challenges that these, you know, maybe retailers who are trying to adapt to this new landscape might be facing in securing customer data and their, their software, and, you know, what theyâre up against, and in terms of the top threats of cyber criminals and different types of attacks?
CE: With consumer stuff, a lot of it just comes down to protecting customer information, cardholder data, all of the things that we read about, leaking, whenever thereâs a major breach. And if a company is kind of starting from scratch and developing their own systems, and they havenât had to do this kind of thing before. I think thatâs a big potential pitfall because they havenât really given any thought to how do they protect this type of data online, how are they storing it? How are they transmitting it? How long do they have to keep it? What are the privacy implications? These are all things that if youâve been doing this for a while, youâve learned how to how to do over time, youâve learned whatâs kind of required from a regulatory standpoint, PCI, and so on. And youâve got more catching up to do if youâre kind of building a lot of this yourself. Now, if youâre going in, and youâre relying on like a third party provider, thatâs already been in the space, I think youâre able to do that a lot more safely, right? Like I mentioned, if youâre bringing your reservations online to talk and youâre ordering through Toast, and youâre processing payments through Square or Stripe, or something like that, like youâre not, youâre not building all this stuff yourself, right. And youâre interesting that vendor, to do the right things as far as protecting your data, your customers data and keeping it segregated from other customersâ data, make sure it making sure it doesnât leak. And thereâs more experience in those types of companies, but thatâs going to create, I think, increased pressure on vendors in general, right, that weâre outsourcing these things to, to kind of attest to what measures theyâre taking to do that protection, itâs just kind of like, itâs kind of the same as you know, when we build software ourselves, and we use open-source libraries to do that, weâre not immune to any vulnerabilities that may come up as a part of using those libraries. Same thing here, right? If I entrust the processing of certain data to some other company, I still have to account for that risk, right? If my customerâs credit card is leaked, in some sort of breach, that customer doesnât care that it happened, because I wrote code or because somebody else wrote code, right? They just care that they have fraudulent charges. And so you have to think about and make sure that the vendors that youâre using are also taking the right measures from a security perspective, because that then impacts you.
**LO:**Right, right. And I know like that, thatâs something that definitely takes a lot of companies by surprise, and they really donât think about but you know, if you look at, for instance, like the Target breach that stemmed from an HVAC system and yet Target was the one that kind of held the brunt of the blowback there just because it was a big brand.
CE: Right, they took the hit, right? Nobody outside of the security industry is going to be able to tell you that it was a flaw, like an application security flaw in like the that a web application on by the HVAC company, right. Nobody knows that. So yeah, perfect example. So you kind of have to think about all the dependencies, and that theyâre using that youâre using to, to run your business and kind of this new era. And I think for every business thatâs going to increase.
LO: So Chris, before we wrap up, I just want to ask, if you have any other kind of big takeaways that you want to highlight from Veracodeâs state of software security report, anything that really sticks out to you that you want to leave listeners with?
**CE:**Yeah, I think that, you know, kind of going back to what I was talking about, how we isolated kind of those things that you can control and those things that you donât, I think the big takeaway for me was that oftentimes, if youâre a developer and you come into this environment, where you just have all this, like, security, debt or technical debt, and it just seems overwhelming, right? Youâre like, how am I ever going to dig out of this, it just seems like so much. And your companyâs only budgeting a certain amount of time and effort to, to work on things like that. It was good to find out that kind of even in the most challenging environments, the biggest applications, the craftiest applications, the big, slow moving corporate culture, that there were specific actions that you could take as developer to improve the overall security of that application, right? Things that I control, like the scan frequency, the scan cadence, using automation, and APIâs using additional testing techniques, those are all things that move the needle, those are all things that correlated with faster fixed times. So no matter what environment Iâm dropped into, whether itâs itâs a good fast moving one where things are just kind of moving like clockwork, or if itâs the opposite of that. The actions that I take can still have positive outcomes on the security of that application. I think, it seems very rare these days to have like, a positive outcome when we look at security data, but but I think that was a really good one. Um, so I was happy to see that.
LO: Yeah, I really think thatâs a good point to make, because I do think, you know, for developers or for, you know, system admins or anyone, really, Iâm in the security space. Thereâs just so much out there in terms of threats. And going back to the ânature versus nurtureâ point that you made in the beginning of the podcast. There seems to be so much out of control there. But I think itâs really important to highlight what can be done and how thatâs going to help improve security measures. So yeah, I appreciate you making that point. So, Chris, with that, thank you so much for coming on to the Threatpost podcast today to talk about the state of software and retail application security.
CE: Yeah, my pleasure. Great talking to you.
**LO:**Great. And to all of our listeners. Thank you for tuning in to this weekâs episode of the threat post podcast. Once again, Iâm Lindsey OâDonnell Welch with Threatpost here with Chris Eng with Vera code, and we look forward to having you tune in for next week.
iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/16554005/height/90/theme/custom/thumbnail/yes/direction/backward/render-playlist/no/custom-color/87A93A/%20height=90%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe
traffic.libsyn.com/digitalunderground/chris_eng_final.mp3
threatpost.com/amazon-prime-day-spurs-spike-in-phishing-fraud-attacks/159960/
threatpost.com/anatomy-sql-injection-attack-022510/73589/
threatpost.com/black-friday-shoppers-scams-fake-domains/150593/
threatpost.com/cyberattackers-1-5m-covid-19-emails-per-day/154970/
threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/
threatpost.com/target-attackers-took-11-gb-of-data-researchers-say/103691/
threatpost.com/wordpress-plugin-flaws/159856/
www.veracode.com/state-of-software-security-report
www.veracode.com/state-of-software-security-report