Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Firms Spend Big Money on Flaws They Could Fix in Development

Companies are spending millions on bug bounty programs whose goal is to identify vulnerabilities, but it might be more efficient to take a proactive approach and focus on identifying flaws in the development phase.

Companies are spending millions on bug bounty programs whose goal is to identify vulnerabilities, but it might be more efficient to take a proactive approach and focus on identifying flaws in the development phase.

A survey commissioned by application security company Veracode shows that of 500 U.S. decision makers working in cybersecurity, 83 percent have admitted releasing code before testing it for security holes and bugs. In contrast, a vast majority of them are confident that their software is secure.

Of the companies surveyed for the Veracode study, 36 percent run bug bounty programs, including 53 percent of firms that spend a quarter of their IT budget on application security. However, more than three-quarters of respondents admitted that their organization relies too heavily on bug bounty programs, and a vast majority of them believe they could have prevented many of the flaws found through these initiatives during the development phase if they had better developer training and testing.

“Companies must understand that bug bounty programs, although helpful, should not be used as a replacement for a strong application security culture and program. Companies must instead embrace a best-of-both worlds proactive approach to efficiently and comprehensively identify and eliminate security threats,” Veracode said.

Nearly half of the cybersecurity decision makers surveyed for this study said their companies had spent at least $1 million on bug bounty programs. However, 59 percent of them believe it’s more expensive to fix flaws found via bug bounty programs than it is to patch them during development.

The solution, according to Veracode, is to launch bug bounty programs only after proper automated security testing is in place in the development cycle. This will save a company from spending money on common mistakes that could have been easily prevented through secure development.

Bug bounty programs are increasingly popular

An increasing number of major companies have turned to bug bounty programs to help them identify vulnerabilities in their systems and products. The list includes Apple, Panasonic Avionics, Fiat Chrysler and Yelp.

Advertisement. Scroll to continue reading.

A report published by Bugcrowd shows that a large number of researchers have signed up for these types of programs over the past years. The Bugcrowd community has more than 38,000 members from 112 countries, the top two being the United States (29%) and India (28%).

While many of these hackers are students or have other jobs, 15 percent say they are full-time bug bounty hunters. Nearly 60 percent of them are aged 18-29, while 34 percent are between 30 and 44.

A large majority claim to have intermediate or advanced knowledge of web application testing. There are also many who specialize in web services, code review, Android, network infrastructure and Linux.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.