Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Firms Spend Big Money on Flaws They Could Fix in Development

Companies are spending millions on bug bounty programs whose goal is to identify vulnerabilities, but it might be more efficient to take a proactive approach and focus on identifying flaws in the development phase.

Companies are spending millions on bug bounty programs whose goal is to identify vulnerabilities, but it might be more efficient to take a proactive approach and focus on identifying flaws in the development phase.

A survey commissioned by application security company Veracode shows that of 500 U.S. decision makers working in cybersecurity, 83 percent have admitted releasing code before testing it for security holes and bugs. In contrast, a vast majority of them are confident that their software is secure.

Of the companies surveyed for the Veracode study, 36 percent run bug bounty programs, including 53 percent of firms that spend a quarter of their IT budget on application security. However, more than three-quarters of respondents admitted that their organization relies too heavily on bug bounty programs, and a vast majority of them believe they could have prevented many of the flaws found through these initiatives during the development phase if they had better developer training and testing.

“Companies must understand that bug bounty programs, although helpful, should not be used as a replacement for a strong application security culture and program. Companies must instead embrace a best-of-both worlds proactive approach to efficiently and comprehensively identify and eliminate security threats,” Veracode said.

Nearly half of the cybersecurity decision makers surveyed for this study said their companies had spent at least $1 million on bug bounty programs. However, 59 percent of them believe it’s more expensive to fix flaws found via bug bounty programs than it is to patch them during development.

The solution, according to Veracode, is to launch bug bounty programs only after proper automated security testing is in place in the development cycle. This will save a company from spending money on common mistakes that could have been easily prevented through secure development.

Bug bounty programs are increasingly popular

An increasing number of major companies have turned to bug bounty programs to help them identify vulnerabilities in their systems and products. The list includes Apple, Panasonic Avionics, Fiat Chrysler and Yelp.

A report published by Bugcrowd shows that a large number of researchers have signed up for these types of programs over the past years. The Bugcrowd community has more than 38,000 members from 112 countries, the top two being the United States (29%) and India (28%).

While many of these hackers are students or have other jobs, 15 percent say they are full-time bug bounty hunters. Nearly 60 percent of them are aged 18-29, while 34 percent are between 30 and 44.

A large majority claim to have intermediate or advanced knowledge of web application testing. There are also many who specialize in web services, code review, Android, network infrastructure and Linux.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...