Don’t Be ‘Forever’ Vulnerable: Improve Your AppSec Posture


Fashion retailer Forever 21 joined a very trendy, yet unexclusive club earlier this month when it announced its point-of-sales systems may have been breached, exposing the credit-card information of its customers. It may also have joined an equally unexclusive group of members within that club – those with breaches caused by application security issues, which companies could have found with automated code review.

As reported to Forever 21 by a third-party monitor, the breach reportedly took place between March and early November of this year. Ironically, the third-party monitor indicated that hackers accessed Forever 21’s databases through its point-of-sales systems in locations where the encryption and tokenization applications implemented in 2015 to prevent data loss were not operating properly.

One thing most security breaches have in common is that they are the result of some application quality defect that serves as a point of vulnerability. Eliminating that vulnerability should, therefore, thwart any attack that slips through the “human” layer of defense.

Nevertheless, retailers are leaving themselves very vulnerable in the rush to compete with Amazon on a customer engagement level. The most recent CAST Report on Application Software Health (CRASH) found that .NET applications developed using waterfall methods had higher average densities of security flaws, while Java applications that released to production more than six times per year had higher densities of security flaws.

The report also found that while retailers had a lower average density of security flaws for Java applications than some other industries (about three per 1,000 lines of code), their average density of security flaws in .NET applications was among the highest (about 7.5 per 1,000 lines of code). Either way, that’s still a substantial risk!

If a back end application has a half million lines of code, even using the lower of the two average densities there still are (on average) 1,500 security flaws…

1,500 vulnerabilities for hackers to exploit…

Death by 1,500 cyber papercuts!

Therefore, as retailers implement new applications to enhance customer engagement, they also may be putting those consumers at a greater risk of breach or credit card theft.

To prevent this, it is critical to perform automated code review during the implementation process to determine if any defects arise. Waiting until after implementation is too late because the applications most likely to cause security breaches are difficult to detect through standard testing. Performing automated code review as you implement applications will detect issues with application structural quality, allow you to address them before completing implementation, and prevent your company from being “forever” vulnerable. 

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item