How retailers can deliver goods securely in the current state of vulnerability management

A new Dynatrace report highlights the challenges for retailers in managing vulnerabilities in ecommerce and supply chain software.

Dynatrace has released a new segment of its annual global chief information security officer (CISO) survey to reveal the state of vulnerability management in the retail sector.

“The 2022 CISO Research Report: Retail” surveyed 325 IT professionals within the retail industry. Like other industries, the retail sector is turning to dynamic multicloud environments, cloud-native architectures, and open source code to improve digital agility, according to the report. This enables retailers to provide better online shopping experiences for customers.

The data also demonstrates the challenges these new approaches have created for retail organizations, as managing and reducing enterprise risk has become more complicated.

Nearly two-thirds (64%) of CISOs in the retail industry say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.

There are never enough layers of security protection

The rise of modern cloud environments has created a challenge for retailers, making it more difficult to secure the applications that power ecommerce experiences and supply chain operations.

To tackle this issue, 64% of retail organizations have a layered cybersecurity posture, supported by five or more security solutions.

Despite this multilayered posture, 71% of retail CISOs say there are gaps that allow vulnerabilities to slip through the net and reach live applications in production.

“The rise of omnichannel customer experiences and the explosive growth in online shopping that were triggered by the pandemic have permanently transformed the retail industry,” says Amit Shah, director of product marketing for application security at Dynatrace. “There’s more pressure than ever for DevOps teams to deliver faster innovation for retailers and their customers. While on many fronts they are succeeding, as a consequence, it is becoming more difficult to stop vulnerabilities escaping into production. This is, in turn, creating greater risk that cyberattacks could break through retailers’ defenses.”

Leaving the tills open

Another significant part of the challenge stems from the growing reliance on open source code, which many retailers now enlist in an effort accelerate digital transformation.

Despite the added digital agility, this approach can also introduce significant security risks, as these third-party software libraries regularly contain vulnerabilities — and it takes time to identify and resolve them. According to the survey, only 25% of retail security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

The extent of this problem was on display in the retail industry with the discovery of Log4Shell in December 2021. An astonishing 97% of retail organizations say they faced risk exposure from that vulnerability, with many of them classifying that risk as “high” or “severe.”

The problem is not just identifying vulnerabilities like Log4Shell. Many retail organizations cannot determine the impact on their security posture, and they lack the context needed to decide which issues to prioritize so they can act quickly.

The problem is compounded by the volume of security alerts that bombard retail IT departments daily. The survey shows retail organizations receive more than 1,700 alerts to potential application security vulnerabilities each month.

Many of these alerts are low risk. However, retail teams don’t have the necessary context to differentiate between a minor flaw and a severe risk, which makes it impossible to know where to focus their efforts.

Change the culture, change the results

The drive for faster transformation across all areas of retail and ecommerce is also leading organizations to adopt more agile practices and cultures, such as DevSecOps.

These modern approaches are critical to providing development, operations, and security teams with the context they need to identify vulnerabilities, as well as how applications are connected. However, only 31% of retail organizations currently have a mature DevSecOps culture.

“Organizations across the retail sector must embrace a more effective approach to vulnerability management,” Shah says. “In the cloud-native world, it’s crucial to treat vulnerability management as a shared responsibility between developers, operations, and security teams. This is best enabled by converging observability with security at runtime, so teams have a single source of truth providing the answers they need.

“If this approach is enhanced with modern AI and automation capabilities,” Shah says, “retail DevSecOps teams will be better equipped to quickly identify vulnerabilities, block attacks in real time, and remediate security flaws before they can be used to compromise mission-critical ecommerce applications or supply chain operations.”