Developing end-to-end security programme for retail

Retailers must rapidly evolve online applications to meet market demands but at the same time, more shoppers are wary of the privacy threats when shopping online as a breach can be very harmful to a retail company.

Speaking to Retail Asia, Olli Jarva, managing consultant at Synopsys Singapore, explained: "Tangible costs range from stolen funds and damaged systems to regulatory fines, legal damages and financial compensation for injured parties. Even worse, it can damage the relationship and trust that the brand has built with customers and tarnish its reputation."

Moving into the new year, he opined that developing an end-to-end security programme that will reduce unauthorised or suspicious access while still maintaining a smooth process for customers makes good business sense: "Leaders in the retail industry must ensure that they have exceptional defence profiles if they want to hold on to their loyal customers—and attract new ones."

While protecting customer relationships and bottom line is no easy task, it is possible to minimise security risks by building security, understanding adversaries and then designing correct controls and gates in Secure Software Development Lifecycle (S-SDLC). Jarva recommended putting in place a measurable and scalable Software Security initiative that addresses the immediate and long-term needs of retail and e-commerce organisations:

• Application security - when developing applications, ensure quality and security at every step of the development, testing, and procurement life cycle, rather than an afterthought.
• Mobile application security - Assess security of iOS and Android applications and their back-end components to discover malicious or potentially risky actions in your mobile applications, keeping the business and customers secure against attacks.
• Vendor analysis - If your organisation relies heavily on third-party software or allows third-party access to your network, make sure it meets compliance requirements and protects customer data.

“Put third-party applications under the same scrutiny as the applications you develop in-house, so you know the code you receive is secure. When your full supply chain is aligned along the same security protocols and practices, you’ll decrease risk and reduce the time and resources it takes to launch secure software,” Jarva said.

He cited Target as an example of a retailer with an intrusion into its system which can be traced back to network credentials stolen from their third-party vendor -- a refrigeration, heating and air conditioning subcontractor.