The retail industry has been quick to embrace new technologies for customer engagement – especially during the pandemic, when the shift from brick-and-mortar to online retail became critical. However, there remains a gap on the security side. Retailers have expanded their application portfolios rapidly, but many of their security processes are still tied to older technologies that weren’t designed to keep pace with modern application development.
This is where Application Security Posture Management (ASPM) becomes essential. ASPM is a purpose-built framework that unifies risk visibility, vulnerability triage and remediation across the entire software development lifecycle, addressing security risks in an increasingly complex software supply chain.
Think of ASPM as an air traffic control system for software security. Just as air traffic control oversees the safe flow of airplanes in the sky, ASPM ensures the secure flow of data, transactions and system processes in a rapidly changing and increasingly interconnected application ecosystem. To fully realize the benefits that ASPM can deliver, retail security and development teams must confront the underlying complexity of their application environments.
Untangling Application Complexity
Retailers have long been hesitant to fully embrace new technologies in some parts of their operations, particularly in security, due to razor-thin profit margins and the drive to maximize value from existing technology investments. While the business side has rapidly adopted digital tools to engage consumers, the security side has often been locked into older technology. As a result, many retailers have layered new tools and applications on top of legacy systems, creating the equivalent of a “giant rubber ball” of intertwined technology components.
With so many legacy applications in place that need to talk to a new generation of cloud-based applications, even a small change to one application can have an unpredictable ripple effect across an entire operating environment. As a result, retail IT leaders tend to be highly deliberate and cautious in their change management processes. Given the vast range of applications involved – sometimes spanning thousands across various functions such as HR, finance, supply chain and ecommerce – every software update needs to be well-calculated to avoid disrupting critical operations.
Consider the case of one of the world’s largest retailers, for which our firm recently completed a proof of concept. Despite being one of the most sophisticated users of technology in their sector, many of the processes they relied on to maintain application integrity were rooted in outdated manual workflows. This is particularly evident in the Solution Security Plan (SSP) process, a comprehensive documentation process that details the security measures and controls for each application.
While the SSP is vital for ensuring security, maintaining it is highly time-consuming, often relying on manual input from developers. For this retailer, its SSP typically consists of over 300 questions that must be answered by developers, a process that can take up to five hours per application. Given that large retailers maintain thousands of applications, the time and cost of completing these questionnaires are considerable.
Or consider the challenge of automated software inventory discovery, which requires establishing and maintaining a continuously updated code repository and software inventory. This process ensures visibility into all source control managers, repositories, developers and application components of both internally built apps and those acquired through M&A activity.
By automating 95% of the work needed to build and maintain this comprehensive inventory, this retailer expects to save tens of millions of dollars annually. This type of automation not only reduces manual effort but also minimizes the risk of oversight, enhancing security and operational efficiency across the entire application landscape.
4 Key Requirements of a Modern ASPM
For retailers with large, interdependent application portfolios, an ASPM solution simplifies security management, improves accuracy and reduces the costs and risks associated with manual processes. To achieve this, a modern risk-based ASPM must deliver four key capabilities:
- Deep Code Analysis (DCA): Deep Code Analysis is vital for mapping a retailer’s specific software architecture in real time. This capability continuously tracks all component changes and provides automatic risk assessments at the earliest stages of the Software Development Life Cycle (SDLC). By doing so, the need for manual attestation by developers is eliminated, allowing organizations to detect risks early and proactively mitigate them before they reach production.
- Graph-Based Inventory: A modern ASPM should provide a graph-based inventory that goes beyond simple lists of components to visually represent the interconnected relationships between different parts of the system, showing how they interact and where risks could propagate. This enables security teams to identify risk pathways and compliance gaps quickly, allowing for more targeted security measures and faster mitigation of potential threats.
- Contextual Risk Awareness: One of the most crucial features of a modern ASPM is its ability to understand and prioritize risks in context. This visibility-first approach ensures that the solution can assess the severity of security alerts based on both the architecture and the specific business risks associated with the retailer’s environment. Moreover, by automating the validation of security controls, security teams can dramatically reduce the manual effort involved in identifying risks while ensuring they are aligned with compliance requirements and business priorities.
- Automatic Identification of Code Owners: In large retail organizations, multiple teams work across different parts of an application. A modern ASPM can automatically identify code owners to ensure that when a security issue arises, the right developer or team is notified immediately. This minimizes delays in patching risks and ensures a faster, more efficient response to security threats.
Software is the lifeblood of the modern retailer, powering everything from ecommerce platforms to supply chain logistics and customer engagement. As the reliance on these always-on digital systems grows, so too do the risks associated with security risks. By embracing ASPM and addressing the complexities of their application environments, retailers can dramatically improve their security posture, protect customer data and ensure business continuity in the face of evolving threats.
John Leon is the VP of Partnerships and Business Development at Apiiro, where he is responsible for accelerating partner-driven growth by expanding Apiiro’s go-to-market strategy across the ecosystem of technology, cloud marketplace and consulting partners. Leon has over 18 years of experience in high-growth technology companies and has led business development at GitHub, Twistlock (acquired by Palo Alto Networks), ExtraHop Networks (acquired by private equity) and Puppet.