Security Experts:

Firms Spend Big Money on Flaws They Could Fix in Development

Companies are spending millions on bug bounty programs whose goal is to identify vulnerabilities, but it might be more efficient to take a proactive approach and focus on identifying flaws in the development phase.

A survey commissioned by application security company Veracode shows that of 500 U.S. decision makers working in cybersecurity, 83 percent have admitted releasing code before testing it for security holes and bugs. In contrast, a vast majority of them are confident that their software is secure.

Of the companies surveyed for the Veracode study, 36 percent run bug bounty programs, including 53 percent of firms that spend a quarter of their IT budget on application security. However, more than three-quarters of respondents admitted that their organization relies too heavily on bug bounty programs, and a vast majority of them believe they could have prevented many of the flaws found through these initiatives during the development phase if they had better developer training and testing.

“Companies must understand that bug bounty programs, although helpful, should not be used as a replacement for a strong application security culture and program. Companies must instead embrace a best-of-both worlds proactive approach to efficiently and comprehensively identify and eliminate security threats,” Veracode said.

Nearly half of the cybersecurity decision makers surveyed for this study said their companies had spent at least $1 million on bug bounty programs. However, 59 percent of them believe it’s more expensive to fix flaws found via bug bounty programs than it is to patch them during development.

The solution, according to Veracode, is to launch bug bounty programs only after proper automated security testing is in place in the development cycle. This will save a company from spending money on common mistakes that could have been easily prevented through secure development.

Bug bounty programs are increasingly popular

An increasing number of major companies have turned to bug bounty programs to help them identify vulnerabilities in their systems and products. The list includes Apple, Panasonic Avionics, Fiat Chrysler and Yelp.

A report published by Bugcrowd shows that a large number of researchers have signed up for these types of programs over the past years. The Bugcrowd community has more than 38,000 members from 112 countries, the top two being the United States (29%) and India (28%).

While many of these hackers are students or have other jobs, 15 percent say they are full-time bug bounty hunters. Nearly 60 percent of them are aged 18-29, while 34 percent are between 30 and 44.

A large majority claim to have intermediate or advanced knowledge of web application testing. There are also many who specialize in web services, code review, Android, network infrastructure and Linux.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.