83% of Companies Have Released Applications They Know Are Unsafe

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Bug bounties have been on the rise and are widely regarded as a smart way to scale the testing of your security code. But a new survey shows that businesses may be over-reliant on them.

The survey, from Veracode and Wakefield, found that businesses are dis-incentivized to invest in secure coding internally. A full 59% believe it’s more expensive to fix code flaws found in bug bounty programs than to secure code during development. No wonder that 83% of respondents said that they have released code before testing or resolving security issues for bugs.

The result is that although majority of respondents feel as though their software and applications are secure, many lack the proactive, layered security programs necessary to combat today’s vulnerabilities, the report concluded.

In fact, the evidence points to insecurities: About half (44-percent) have spent more than a million dollars on bug bounty programs to catch vulnerabilities—even though 79% agree that an effective application security program results in spending less on bounties.

The survey shows that one in three (36%) have turned to bug-bounty programs.

“These types of programs have even caught the eye of notable technology giants such as Apple, Google and Yelp, all of whom have jumped on the widely-publicized bandwagon, and announced their own programs,” the report noted. “Proactive, automated vulnerability detection and remediation is now more important than ever. Further proven in that today’s threat landscape web application attacks continue to be the number one source of data breaches, end-user organizations are on the hunt to alleviate these potentially catastrophic challenges.”

But, although bug bounty programs can be effective, relying on a reactive approach to vulnerability detection is simply not enough. Since bug bounty programs focus on applications in use, they merely expose risks that the users of that application have been exposed to for months or even years, the report pointed out.

And indeed, Veracode’s survey data shows that 77% of professionals admit to relying too heavily on programs intended to catch mistakes in code that should have been proactively identified. Furthermore, 93% believe most flaws uncovered in a bug bounty program could have been prevented by developer training or testing in the development phase.

“In today’s technology environment, application security testing for vulnerabilities and flaws in software code should be a security best practice, regardless of an organization’s size or industry,” said Chris Wysopal, co-founder and CTO, Veracode. “While bug bounty programs catch flaws that inadvertently slipped through the software layer cracks, this reactive approach will not solve the bigger issue at stake which is helping eliminate security-related defects before the software is put into use. Our survey data is a signal to the security and researcher community that businesses need help in their software security strategy; it’s our responsibility as experts to assist in better securing software before it’s too late.”
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
In my opinion most company only focus on one thing: market share.
To increase that, heavy mass promotion will be held. Which then push the application to release as fast as possible.

Which would of course could be the reason of this.
 

exCode

Level 3
Verified
Sep 19, 2016
114
I think it depends on what the companies are. I could make 100 companies that all release the same buggy program, and I could say 100% of companies release unsafe programs. If it was a big player like Google, I could see that being pretty bad.
 
  • Like
Reactions: shukla44

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top