Retail technologists need a new approach to overcome growing application security challenges

In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 82% of technologists in the retail industry express concern that their organization is vulnerable to a multi-staged security attack that would affect the full application stack in the next 12 months.

Arguably more than any other sector, the speed of digital transformation within retail over the last three years has been phenomenal. Technologists have leant on low-code and no-code platforms to dramatically accelerate release velocity and build more dynamic applications.

But, perhaps unsurprisingly, security has largely failed to keep pace. As many as 92% of retail technologists admit that the rush to rapidly innovate and respond to the changing needs of customers and users during the pandemic has come at the expense of robust application security during software development.

The potential consequences of this situation are severe; any compromise in application security can result in slow run times and outages which dent digital experience, erode customer trust and brand reputation and, ultimately, reduce revenue.

Encouragingly, the research highlights how IT teams are looking to evolve their approaches to application security in order to get to grips with a complex risk landscape and support the shift to modern application stacks. Retail technologists are looking to implement a security approach for the full application stack, moving to a DevSecOps model where application security is integrated throughout the software development lifecycle, and embracing artificial intelligence (AI) and automation to cope with soaring volumes of security threats.

In order to expedite this shift, technologists must urgently address these six key application security challenges:

1. Lack of visibility into attack surfaces and vulnerabilities

73% of technologists in the retail industry report that their current security solutions work well in silos but not together, a higher figure than any other sector. This means that IT teams are unable to get a comprehensive view of their organization’s security posture.

To address this problem, IT teams need to implement tools which are capable of integrating performance and security monitoring, so that they can understand how vulnerabilities and incidents can affect end users (both customers and employees) and the business itself. Technologists need to be able to understand the code, and everything around it, with continuous detection and prioritization, so that they can detect and block exploits automatically, maximizing speed and uptime while minimizing risk.

2. Inability to prioritize threats based on severity, impact and business context

Anybody that has worked in an IT department in recent years will know the extent to which technologists are now being constantly bombarded by an overwhelming volume of security alerts from across the application stack. Sadly, most of them don’t have any way to cut through this data noise to understand which alerts pose the biggest risk to customers and the business. Tellingly, 59% of retail technologists admit that they are operating in ‘security limbo’ because they don’t know what to focus on and prioritize.

In response, business transaction insights are critical to enable technologists to measure the importance of – and to prioritize – threats based on severity scoring. These scores factor in the context of the threat, meaning technologists can see which issues are likely to affect a business critical area of the environment or application.

3. Loss of control of sensitive customer data

IT teams are increasingly reporting that they are losing control of where data sits within their application portfolios, with application components running across multi-cloud environments and on- premise databases.

This creates visibility gaps and increases the risk of a major security event, given the volumes of customer data which exist within many of these applications.

IT teams need runtime application self-protection (RASP) which provides visibility from inside apps so they can be secured wherever they reside and however they are deployed. Validating data requests directly inside the app helps to prevent vulnerabilities from being exploited and provides threat intelligence that identifies attacks down to the code level. Developers can have targeted insight into their application environments that allow them to respond to threats at scale – whether that’s in containers, on-premises, or in the cloud.

4. Challenges keeping pace with a rapidly changing application security landscape

82% of retail technologists admit that they find it difficult to keep up with emerging threats. Attack surfaces are growing exponentially due to rapid deployment of Internet of Things (IoT) and connected devices and adoption of microservice-based application architectures.

This is why it’s so important for retailers to partner with vendors who can provide real-time data and insights into new security threats within the industry. IT teams should be working with trusted partners to map these emerging threats against their own organization’s security posture to get back on the front foot.

5. Lack of integration between application development and security

Within IT departments in all industries, security is still too often perceived as an inhibitor of innovation and, as a result, security teams are often cut out of the application development process until the very end, for fear that it will slow down release velocity.

Traditionally, DevOps and SecOps teams have operated in silos, often with little understanding or appreciation of one another’s role. Indeed, the research shows that ongoing collaboration between developers and security professionals takes place in only around a fifth of IT departments.

This is why a DevSecOps approach is now so important. This is where application security and compliance testing are integrated throughout the software development lifecycle, rather than being an afterthought at the end of the development pipeline. It makes security a shared responsibility across all teams and encourages developers to prioritize security issues at every stage of the application lifecycle.

DevSecOps involves significant cultural change – technologists need to leave behind narrow mindsets and embrace a more open and collaborative way of working, as well as developing new skills and knowledge outside of their own specific discipline.

It’s not always an easy transition but the benefits are genuinely game changing for everyone in the IT department, easing workloads, removing stress and freeing up time to focus on strategic priorities.

6. Soaring volumes of security threats and alerts

More than half of technologists admit that they feel overwhelmed by the sheer number of security threats and vulnerabilities that their organization is dealing with. IT teams simply haven’t got enough time to identify and properly analyze the number of threats they now face.

The only way around this problem is for retailers to integrate AI and Machine Learning (ML) into their application security strategies – to identify gaps, predict vulnerabilities and automate processes to remediate any security holes. Security teams know that they can’t afford to fall behind, as bad actors ramp up their use of AI and ML. In fact, 80% of retail technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organization faces in application security.

Technologists now need to develop plans to tackle these six challenges over the next 12 months, ensuring they have the right tools, insights and structures to adopt a security approach for the full application stack.

It’s time for retailers to shift their thinking. They have to recognize security as a critical part of the application lifecycle, from the very outset, and the foundation for accelerated and sustainable innovation in the years ahead.