Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Majority release code without security testing

Veracode : 30 September, 2016  (Technical Article)
Survey from Veracode reveals the extent to which code is issued without the resolution of security issues or adequate testing
Majority release code without security testing

Veracode has released the results of a survey of 500 IT professionals working in cybersecurity, revealing that 83-percent of respondents have released code before testing or resolving security issues for bugs. Additional findings show that while the majority believe their organisation’s software and applications are secure, nearly half (44-percent) have still spent more than a million dollars on bug bounty programmes to catch vulnerabilities.

Proactive, automated vulnerability detection and remediation is now more important than ever. Further proven in that today’s threat landscape web application attacks continue to be the number one source of data breaches, end-user organisations are on the hunt to alleviate these potentially catastrophic challenges. Veracode’s survey shows that 1 in 3 (36-percent) have turned to bug bounty programmes (the recruiting of individuals to catch application security issues in software in exchange for a reward of some kind). Growing in popularity, these types of programmes have even caught the eye of notable technology giants such as Apple, Google and Yelp, all of whom have jumped on the widely-publicised bandwagon, and announced their own programmes.

Bug Bounty Programmes: A Quick-Fix Solution?

Although bug bounty programmes can be effective, relying on a reactive approach to vulnerability detection is simply not enough. Since bug bounty programmes focus on applications in use, they merely expose risks that the users of that application have been exposed to for months or even years. Veracode’s survey data shows that 77-percent of professionals admit to relying too heavily on programmes intended to catch mistakes in code that should have been proactively identified. Furthermore, 93-percent believe most flaws uncovered in a bug bounty programme could have been prevented by developer training or testing in the development phase. As such, organisations need a strategic, more cost-effective approach, balancing between proactive and reactive measures to effectively combat the changing threat landscape, an approach that begins at the application layer.

“In today’s technology environment, application security testing for vulnerabilities and flaws in software code should be a security best practice, regardless of an organisation’s size or industry,” said Chris Wysopal, co-founder and CTO, Veracode. “While bug bounty programmes catch flaws that inadvertently slipped through the software layer cracks, this reactive approach will not solve the bigger issue at stake which is helping eliminate security-related defects before the software is put into use. Our survey data is a signal to the security and researcher community that businesses need help in their software security strategy; it’s our responsibility as experts to assist in better securing software before it’s too late.”

Patching the Problem

In short, cyber-attacks at the application layer are all too common and organisations cannot rely on a singular security solution. Thankfully, many organisations are taking the right steps to better achieve a steady balance between proactive and reactive security strategies to remediate vulnerabilities. Although respondents still find value in a bug bounty programme, larger groups find value in a layered application security approach:

* 81-percent of respondents have implemented an application security programme to find and fix vulnerabilities in their software and protect applications from external threats
* More than 3 in 4 (79-percent) of those surveyed feel that effectively deployed application security programmes result in spending less on costly bug bounty programmes
* 59-percent find that it’s more expensive to fix code flaws found in bug bounty programmes versus securing code during the development cycle

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo