Risk
7/18/2012
03:43 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Veracode Outlines Security Risks Facing The Retail Industry

Retail networks prone to attacks because of tendency to contain large amounts of sensitive customer data

BURLINGTON, Mass., July 18, 2012 /PRNewswire/ -- Veracode, the leader in cloud-based application security testing is calling for the need for stronger controls in preventing large scale data breaches as security risks facing the retail industry are mounting.

The appeal for hackers toward retail enterprises is the large amount of cardholder data, email addresses and Personally Identifiable Information (PII) retail databases contain. The retail industry has gone through a dramatic transformation involving the technology used to complete a transaction, including Point of Sale (POS) terminals, barcode scanners on mobile devices, and customers now being more inclined to do their purchasing online, which has resulted in massive amounts of personal data being exchanged over these devices. This change in customer purchasing behavior has served to raise the amount of new challenges that retail enterprises face when trying to secure their networks.

"The implications from accessing applications over unsecure networks can be catastrophic," said Chris Wysopal, Co-Founder, CISO and CTO of Veracode. "Not only does sensitive data wind up in the hands of hackers who can use the information for identity theft, but data breaches can cost organizations upwards of $6.75 million, leading to numerous legal and regulatory problems, as well."

Rather than focusing strictly on database security and data leak protection (DLP), retailers need to also pay attention to their application security controls. Many are unaware of the fact that it is the applications, not the server, that manage, update and view customer data. It's much easier for an attacker to find a vulnerability in an application, as DLP controls can more easily be bypassed.

Research from Veracode shows that organizations spent an estimated $35 billion on security infrastructure in 2011, yet hundreds of data breaches were still reported. This was mostly because of the lack of security at the application layer. Regardless of whether retailers are using internal or external developers to create applications for their customers, they need to be cognizant of the software supply chain and outline their security protocols for developers in advance, before security vulnerabilities are created.

About Veracode

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis.

Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with customers in more than 80 countries worldwide representing Global 2000 brands. For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.