Fashion retailer Forever 21 joined a very trendy, yet unexclusive club earlier this month when it announced its point-of-sales systems may have been breached, exposing the credit-card information of its customers. It may also have joined an equally unexclusive group of members within that club – those with breaches caused by application security issues, which companies could have found with automated code review.
As reported to Forever 21 by a third-party monitor, the breach reportedly took place between March and early November of this year. Ironically, the third-party monitor indicated that hackers accessed Forever 21’s databases through its point-of-sales systems in locations where the encryption and tokenization applications implemented in 2015 to prevent data loss were not operating properly.
One thing most security breaches have in common is that they are the result of some application quality defect that serves as a point of vulnerability. Eliminating that vulnerability should, therefore, thwart any attack that slips through the “human” layer of defense.
Nevertheless, retailers are leaving themselves very vulnerable in the rush to compete with Amazon on a customer engagement level. The most recent CAST Report on Application Software Health (CRASH) found that .NET applications developed using waterfall methods had higher average densities of security flaws, while Java applications that released to production more than six times per year had higher densities of security flaws.
The report also found that while retailers had a lower average density of security flaws for Java applications than some other industries (about three per 1,000 lines of code), their average density of security flaws in .NET applications was among the highest (about 7.5 per 1,000 lines of code). Either way, that’s still a substantial risk!
If a back end application has a half million lines of code, even using the lower of the two average densities there still are (on average) 1,500 security flaws…
1,500 vulnerabilities for hackers to exploit…
Death by 1,500 cyber papercuts!
Therefore, as retailers implement new applications to enhance customer engagement, they also may be putting those consumers at a greater risk of breach or credit card theft.
To prevent this, it is critical to perform automated code review during the implementation process to determine if any defects arise. Waiting until after implementation is too late because the applications most likely to cause security breaches are difficult to detect through standard testing. Performing automated code review as you implement applications will detect issues with application structural quality, allow you to address them before completing implementation, and prevent your company from being “forever” vulnerable.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.