Cybersecurity Professionals Admit to Releasing Software Code Before Security Testing for Bugs

BURLINGTON, MA--(Marketwired - Sep 29, 2016) - Veracode, a leader in securing the world's software, today released results from a survey of 500 IT decision makers working in cybersecurity, revealing that 83-percent of respondents have released code before testing or resolving security issues for bugs. Additional findings show that while the majority believe their organization's software and applications are secure, nearly half (44-percent) have still spent more than a million dollars on bug bounty programs to catch vulnerabilities.

Proactive, automated vulnerability detection and remediation is now more important than ever. Further proven in that today's threat landscape web application attacks continue to be the number one source of data breaches, end-user organizations are on the hunt to alleviate these potentially catastrophic challenges. Veracode's survey shows that 1 in 3 (36-percent) have turned to bug bounty programs (the recruiting of individuals to catch application security issues in software in exchange for a reward of some kind). Growing in popularity, these types of programs have even caught the eye of notable technology giants such as Apple, Google and Yelp, all of whom have jumped on the widely-publicized bandwagon, and announced their own programs.

Bug Bounty Programs: A Quick-Fix Solution?
Although bug bounty programs can be effective, relying on a reactive approach to vulnerability detection is simply not enough. Since bug bounty programs focus on applications in use, they merely expose risks that the users of that application have been exposed to for months or even years. Veracode's survey data shows that 77-percent of professionals admit to relying too heavily on programs intended to catch mistakes in code that should have been proactively identified. Furthermore, 93-percent believe most flaws uncovered in a bug bounty program could have been prevented by developer training or testing in the development phase. As such, organizations need a strategic, more cost-effective approach, balancing between proactive and reactive measures to effectively combat the changing threat landscape, an approach that begins at the application layer.

"In today's technology environment, application security testing for vulnerabilities and flaws in software code should be a security best practice, regardless of an organization's size or industry," said Chris Wysopal, co-founder and CTO, Veracode. "While bug bounty programs catch flaws that inadvertently slipped through the software layer cracks, this reactive approach will not solve the bigger issue at stake which is helping eliminate security-related defects before the software is put into use. Our survey data is a signal to the security and researcher community that businesses need help in their software security strategy; it's our responsibility as experts to assist in better securing software before it's too late."

Patching the Problem
In short, cyber-attacks at the application layer are all too common and organizations cannot rely on a singular security solution. Thankfully, many organizations are taking the right steps to better achieve a steady balance between proactive and reactive security strategies to remediate vulnerabilities. Although respondents still find value in a bug bounty program, larger groups find value in a layered application security approach:

• 81-percent of respondents have implemented an application security program to find and fix vulnerabilities in their software and protect applications from external threats
• More than 3 in 4 (79-percent) of those surveyed feel that effectively deployed application security programs result in spending less on costly bug bounty programs
• 59-percent find that it's more expensive to fix code flaws found in bug bounty programs versus securing code during the development cycle

Additional insights and survey data can be found here.

Methodology
The Veracode Bug Bounty Survey was conducted by Wakefield Research among 500 U.S. IT decision makers working in cybersecurity, between August 23rd and August 31st, 2016, using an email invitation and an online survey. Results of any sample are subject to sampling variation. The magnitude of the variation is measurable and is affected by the number of interviews and the level of the percentages expressing the results. For the interviews conducted in this particular study, the chances are 95 in 100 that a survey result does not vary, plus or minus, by more than 4.4 percentage points from the result that would be obtained if interviews had been conducted with all persons in the universe represented by the sample.

About Veracode
Veracode is a leader in helping organizations secure the software that powers their world. Veracode's SaaS platform and integrated solutions help security teams and software developers find and fix security-related defects at all points in the software development lifecycle, before they can be exploited by hackers. Our complete set of offerings help customers reduce the risk of data breaches, increase the speed of secure software delivery, meet compliance requirements, and cost effectively secure their software assets -- whether that's software they make, buy or sell.

Veracode serves over a thousand customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes' 100 Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Copyright © 2006-2016 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.