Figure 1: Bug types across valid submissions shows a decline in low value bug types such as clickjacking, and steady submissions in XSS and mobile bugs.
 

XSS, SQLi, and CSRF are among the OWASP “Top Ten”, with reams of documentation, tutorials, code samples, and tools capable of discovering these bugs before applications are introduced to the wild. One would think that organizations would take the time to ferret out and address such vulnerabilities before unleashing the hordes of grey and white hat hackers on their apps. After all, the budgets of smaller organizations with less mature internal security programs could easily become overwhelmed by the discovery and subsequent payout of such common vulnerabilities.

Or would they?

Thanks to the dearth of security talent available today, salaries are high. But the BugCrowd survey found that bug bounty hunters appear to be willing to work for less than many command, with the majority ( > 50%) citing a salary of $74,000 annually or less to hunt for bugs full time. App layer vulnerabilities are notoriously difficult to find. 63% of respondents in our State of Application Security 2016 believe that “attacks at the application layer are harder to detect – and more difficult to contain – than those at the network layer.” Deputizing the Internet starts to sound like a good value proposition at this point.

And yet the problem of addressing the bugs once they’re discovered (and paid out) remains. Deputizing the Internet to find the vulnerabilities does not remediate them automagically. As we all know from G.I. Joe, “knowing is half the battle”. Unfortunately for organizations, the other half is not red and blue lasers, but rather fixing the vulnerabilities once they are known to exist. Developers and operations must invest time and budget to redress such bugs, and that organizations of all sizes find that difficult remains evident in White Hat Security’s 2016 annual report, in which it found that “It takes approximately 250 days for IT and 205 days for retail businesses to fix their software vulnerabilities.”

In fact, the report notes that most web applications exist in a state of vulnerability:

• Information Technology (IT) — 60 percent of web applications are always vulnerable.
• Retail — half of all web applications are always vulnerable.
• Banking and Financial Services — 40 and 41 percent of web applications are always vulnerable, respectively.
• Healthcare — 47 percent of web applications are always vulnerable.

Some of this is due to severity, or web app usage. Threats and risk are two different measures, after all, and it behooves every company to weigh carefully the existential threat of a vulnerability against the risk of its exploitation. Some organizations are simply backlogged with higher priority projects. A variety of surveys, including one from OutSystems, noted that organizations have an average backlog of 10-20 mobile applications. That doesn’t count the continued investment in new mainframe applications or other, just as critical, web applications.

While there is certainly value in bug bounty programs for organizations of all sizes, it’s only half the battle. The other half remains in eliminating or at least mitigating with intermediate tools and services the bugs that are discovered by such programs.

Knowing is only half the infosecurity battle. The other half is remediation.