Protecting company assets should come first.
According to a survey of 100 chief information security officers (CISO) by cybersecurity testing company Bugcrowd, enterprises are being overwhelmed by hacking attempts. As a result, Bugcrowds’s CISO Investment Blueprint for 2017 report said that 94% of CISOs were concerned about what will happen to public facing assets in the next 12 months.
Bugcrowd cited a recent report by the non-profit Identity Theft Resource Center, which said that the overall number of data breaches increased by 350% between 2007 and 2015. Hacking was leading cause of data breach incidents during those years, accounting for 55% of all breaches.
The problem is that most companies or organizations are not equipped to deal with a constant stream of hacking attempts on their systems.
CISOs use an average of 4.8 application security tools to protect company assets, with penetration testing and incident response processes at the top of the list. As more breaches occur at the application level, IT departments have made app security spending a priority, Bugcrowd said.
There are four distinct areas that require increased security investment—cloud-hosted apps, public-facing Web apps, mobile apps and APIs. The report said that 59% of CISOs wanted to invest in cloud-hosted apps, with 57% citing public-facing Web apps as a key area of security investment. Around 39% of CISOs said that they would make mobile apps a priority investment.
Like what you’ve read? Subscribe to ARC here and you’ll receive articles in your inbox daily at 4PM ET!
Cybersecurity Has A Talent Gap
The intent to invest is to be applauded, but 71% of CISOs said they were hampered by financial constraints. Staffing issues were the main cause of concern, with 54% of people citing it as an ongoing challenge. An immature security culture within the organization and inadequate testing methods were also issues for 36% and 26% of CISOs, respectively
“In 2017, modern application security teams will continue facing resourcing and budgeting issues while investment areas continue to diversify,” the report said. “According to the Bureau of Labor Statistics, there are over 209,000 unfilled cybersecurity jobs in the U.S., and postings are up 74% over the past five years. Our research shows that this will be the top issue over the next year along with budget constraints.”
Sixty-five percent of people said that their organization was either currently running or was planning to integrate a bug bounty program into its QA practices. The bug bounty model is a valuable asset for companies to adopt with a diversity of testers, a continuous stream of application testing and the ability to reveal critical vulnerabilities all ranked highly by CISOs.
Bug bounty adoption is at an all-time high, the report said.
The integration of a bug bounty program can multiply the number of eyes looking for vulnerabilities. The shallow nature of the cybersecurity talent pool means that there are not enough experienced security researchers to go around, which makes a crowdsourced alternative an attractive option. In addition, an outsourced QA department can give a company as close to 24/7 coverage as you can get.
Bug Bounty Hunting Benefits Everybody
Naturally, a bug bounty hunter does not search for vulnerabilities for nothing.
TechCrunch reported that Google paid out over $3 million in bug bounties in 2016 as part of its long-running Vulnerability Rewards Program. According to the Google Security Blog, around 1,000 individual bounties were handed out, with one vulnerability earning the hunter $100,000. And that is just one of the many bug bounty programs being run in the private sector.
When you consider that malicious third parties are always looking for new targets, finding vulnerabilities before the bad guys do should always be a priority. A recent report by Austrian software company Tricentis said that $1.1 trillion in assets were impacted by software failures in 2016 alone, with the finger of blame falling upon security breaches among other things.
With that in mind, a crowdsourced security-testing program is a tried and (no pun intended) tested way to make sure that companies don’t leave themselves open.
“As they have continued to prove successful, bug bounty adoption has increased amongst enterprise organizations in 2016,” Bugcrowd said. “We expect this trend to continue in 2017 with emphasis on financial services, e-commerce, automotive, and technology organizations. The results-driven model and competitive nature of bug bounties drive success in the enterprise.”