Despite software security researchers touting the value of testing early and often, too much software is slipping through the cracks, they say. In one cybersecurity study, released by Veracode, 83% of IT decision-makers admitted to releasing code before testing it or resolving issues.
“Security needs to be part of the entire software life cycle from cradle to grave,” said Chris Wysopal, cofounder and CTO of Veracode. However, businesses don’t often have compliance requirements in place, which makes security testing seem optional, Wysopal explained. “Unless the development-management team is knowledgeable about application security and the risks vulnerabilities pose to their business and customers, they won’t take the time and effort to test and remediate,” he said.
(Related: HPE security solutions focus on intelligence)
Instead, companies and organizations have relied on bug bounty programs to keep their software and applications secure. But bug bounty programs are expensive and present only a quick fix to the problem. The report revealed that one in three respondents use bug bounty programs, and 44% spend more than a million dollars on these programs. In addition 77% revealed they rely too heavily on these programs, and 93% believed most of the flaws discovered through bug bounty programs could have been prevented with testing.
“The best way to get software vendors to perform security testing is for their customers to demand it,” said Wysopal. “Vulnerability researchers finding a security bug and reporting it to the vendor to fix can raise some awareness, but companies ultimately listen to their customers. Enough delayed or lost sales due to non-existent or opaque evidence of security gets businesses to change.”
According to Wysopal, bug bounty programs find bugs when the application is in use, meaning users could have been exposed to the vulnerability for months or years. In order to prevent these bugs from impacting users, security needs to be in place before software is released.
“Developers need training, threat modeling needs to be part of the design process, security testing and remediation needs to be part of the development process, monitoring and response has to be part of operating the software,” said Wysopal.
Other key findings of the report included 81% have a application security program in place in order to avoid external threats; 79% believe having a successful security program in place is cheaper than bug bounty programs; and 59% believe it is more expensive to fix bugs found through programs.
The full report is available here.