Given the unusual year, it’s more difficult to make any definitive statements concerning trends, but a report published by Bugcrowd, a provider of a platform for crowdsourcing security testing, suggests that with more cybersecurity professionals working from home the number of high-risk vulnerabilities being discovered has increased sharply.
The report finds there was a 50% increase in submissions on its platform in the past 12 months, including a 65% increase in Priority One submissions. Now to be fair, there is a lot more software running in production environments than ever. There are also a lot more testers practicing social distancing, so the amount of time spent looking for bugs has probably increased as well.
Unfortunately, the report also notes the vulnerabilities discovered this year are pretty much the same as they were last year and probably the year before that. The most submitted vulnerabilities in 2020 involved broken access controls, followed by vulnerabilities relating to cross-site scripting (XSS).
Overall, the report notes total payouts for finding vulnerabilities are growing steadily by about 15% to 20% per quarter.
Alas, just because more vulnerabilities are being discovered, it doesn’t necessarily follow they are being fixed. Building and deploying software is a complex process. Organizations make a tradeoff between fixing vulnerabilities and adding new capabilities all the time. It’s not uncommon for cybersecurity teams to regularly provide developers with a list of vulnerabilities that are roundly ignored. Some of that behavior stems from the fact many cybersecurity teams don’t do a great job distinguishing how critical one vulnerability is compared to another. The rest of it is a direct result of the fact that most application developers are already behind schedule on delivering the next great capability that everyone in the company can’t wait to see.
Adoption of DevSecOps best practices is, of course, supposed to solve these issues. IT teams should be working toward converging application development and workflows in ways that lead to more secure code being developed before it’s deployed in a production environment. After all, it’s a lot less expensive to fix code before it’s deployed than after. In practice, DevSecOps is like many other things that are talked about a lot more than they actually occur.
It will be interesting to see how vulnerability testing trends play out in 2021. As organizations embrace containers such as Docker to build applications, it should become a lot simpler to remediate vulnerabilities by ripping and replacing code. Rather than having to patch an entire application, the developer simply removes and replaces the container in which the offending code has been encapsulated.
On the downside, those containers are being employed to build applications based on microservices that can be challenging to secure. Each microservice has its own application programming interface (API) that needs to be secured by developers that are building and deploying more microservices with each passing day. It may turn out organizations are simply exchanging one application security issue for another.
In the meantime, cybersecurity professionals can take some cold comfort in the fact that more of these issues are coming to light sooner than later.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.