Measuring the Successes and Shortcomings of Software Security in Retail

kroger data breach

As an industry, retail’s reputation for providing software security has taken some hits. The top 15 data breaches of the current century include Target in 2013, with account information on an estimated 110 million customers compromised; TJX in 2006, with 94 million credit cards exposed; and Home Depot in September 2014, with about 56 million customer credit/debit cards compromised.

SecurityScorecard’s 2018 Retail Cyber Security Report concluded that “although hackers have become increasingly clever with stealing credit card data, the retail industry is no better prepared to deal with the threat.”

Of 18 industries analyzed, retail was “the second lowest performer in terms of application security, indicating a decrease from 2017’s Retail Report where they were the fourth lowest performer,” the report said.

But looking at the industry through another lens, there’s hard evidence that at least a portion of it is taking security seriously. Measuring its collective proficiency across a long list of software security activities, it outpaces several other industries, including healthcare.

Retail is the newest vertical to be studied in an annual industry report called the Building Security In Maturity Model (BSIMM). Launched in 2008, the BSIMM is a self-described measuring stick for software security. It is not a “how to” guide. Rather, it’s a “what’s happening now” guide that allows businesses to review the software security initiatives (SSIs) of others in their industry, and to see what is working, or perhaps not working.

The latest report, BSIMM9, tracked the SSIs of 120 firms in eight industries, covering 116 activities they can implement to improve their software security. And it is not only participants who can compare their own SSIs with their peer companies. Anyone can. The data collected and organized are available for free to any business under the Creative Commons Attribution-Share Alike license.

What insights can retailers take from the report? For one, participating firms demonstrated significant progress in software security. A comparison of retail versus “Earth” (the average of all BSIMM9 participants) showed superior performance in several security practices, were below average in only two, and close to average in the rest.

Also, the software security group (SSG) – the internal group responsible for SSIs – of participating companies in the retail vertical tended to be small (averaging around 8 full-time people) and relatively new (average age: only 3.2 years).

Of the practices where retailers rank ahead of Earth average, one is Architecture Analysis, which is focused in large part on design review of applications – especially high-risk applications. One of the core activities is to have experts – software architects – lead the design review effort.

Another is Software Environment, which includes application input monitoring, the use of application containers, and ensuring cloud security. And a third is Configuration Management & Vulnerability Management practices, which include tracking and fixing software bugs and having a rigorous incident response plan in place.

The two practices where the retail industry came in below average were Compliance & Policy and Security Testing. The first is extremely important because it involves securing personally identifiable information (PII) of customers and demanding security from third-party vendors or partners. As recent history has shown, breaches that expose PII can have not only devastating legal and financial costs, but can lead to a loss of customer trust. And Security Testing is just what it says – it focuses on testing software for vulnerabilities during the entire development and quality assurance process of applications.

Other practices, where retail tracked close to the average, included Training, Code Review, Security Testing, Strategy & Metrics, Security Features & Design, Attack Models, Standards & Requirements, and Penetration Testing.

Retail’s overall superior performance compared to some other verticals (particularly Healthcare) is likely the result of two factors. First, it’s had the benefit of being able to use the BSIMM as a guiding “map” in the software security space. As a late adopter, retail benefits from all of the lessons that the early adopters learned the hard way. Figuratively speaking, retail may have been able to accelerate quickly because it looked at the BSIMM map and decided to take the interstate in the right direction instead of a bunch of back roads in the wrong direction.

The second, more painful, reason could be described as “getting security religion the hard way.” Sadly, catastrophic data breaches, in which hackers exploit vulnerabilities in vulnerable IT systems, are part of recent history in retail. Happily, two of those victims – Target and Home Depot – after some soul searching, realized they need to clean up their act in a hurry and do better than simply check a compliance box. Both have joined the BSIMM Community, where they are working to improve their security posture and build security in.

As is the case in any data-driven project, a more accurate, detailed picture of the retail sector will emerge as the number of retail firms in the study grows. BSIMM9 includes 50 financial services firms and 42 independent software vendors (ISV).

Retail is likely to grow just as big.

Taylor Armerding is Senior Security Strategist at Synopsys