The appeal for hackers toward retail enterprises is the large amount of cardholder data, email addresses and Personally Identifiable Information (PII) retail databases contain. The retail industry has gone through a dramatic transformation involving the technology used to complete a transaction, including Point of Sale (POS) terminals, barcode scanners on mobile devices, and customers now being more inclined to do their purchasing online, which has resulted in massive amounts of personal data being exchanged over these devices. This change in customer purchasing behavior has served to raise the amount of new challenges that retail enterprises face when trying to secure their networks.
"The implications from accessing applications over unsecure networks can be catastrophic," said Chris Wysopal, Co-Founder, CISO and CTO of Veracode. "Not only does sensitive data wind up in the hands of hackers who can use the information for identity theft, but data breaches can cost organizations upwards of $6.75 million, leading to numerous legal and regulatory problems, as well."
Rather than focusing strictly on database security and data leak protection (DLP), retailers need to also pay attention to their application security controls. Many are unaware of the fact that it is the applications, not the server, that manage, update and view customer data. It's much easier for an attacker to find a vulnerability in an application, as DLP controls can more easily be bypassed.
Research from Veracode shows that organizations spent an estimated $35 billion on security infrastructure in 2011, yet hundreds of data breaches were still reported. This was mostly because of the lack of security at the application layer. Regardless of whether retailers are using internal or external developers to create applications for their customers, they need to be cognizant of the software supply chain and outline their security protocols for developers in advance, before security vulnerabilities are created.
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis.
Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with customers in more than 80 countries worldwide representing Global 2000 brands. For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.