Is Bug Testing Out of Control?
Application security is increasingly under the microscope. As perimeters dissolve and conventional cyber-security boundaries disintegrate, there's a growing focus on code quality and detecting vulnerabilities before they result in breaches and breakdowns. Despite this awareness, the news isn't good. A recent study from application security firm Veracode, "Bug Bounty Programs Are Not a Quick Fix," illuminates a common but dangerous practice: releasing software and applications before testing or resolving security issues for bugs. While a majority of IT decision-makers believe their software and applications are secure, nearly half have sunk more than a million dollars into bug bounty programs to catch vulnerabilities, the study found. What's more, bounty programs are growing in popularity, despite the fact that they may not represent the most efficient and least expensive way to address the problem. "While bug bounty programs catch flaws … this reactive approach will not solve the bigger issue at stake, which is helping eliminate security-related defects before the software is put into use," said Chris Wysopal, co-founder and CTO at Veracode. Wakefield Research surveyed more than 500 U.S.-based IT executives for this study. Here are some of the highlights.