Slashdot Mirror

← Back to Stories (view on slashdot.org)

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com)

Posted by msmash on from the different-priorities dept.

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.

90 comments

  1. It's not time, it's money... by TFlan91 · · Score: 4, Insightful

    It's not that I don't have enough time, I do.

    It's that the powers at be only want to spend time on something if a client pays for it.

    1. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      Sounds like an opportunity for a new revenue stream

    2. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      I'm sure they would be OK with you spending some of the time they aren't paying you on things that don't bring them any revenue. Damn, I'm a helluva problem solver.

    3. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      It's that the powers at be only want to spend time on something if a client pays for it.

      Such situations tend to create regulation.

    4. Re:It's not time, it's money... by TFlan91 · · Score: 2

      If you're a plumber and you hear the house two doors down, whose pipes you installed 4 years ago during the construction of the house, has a leak. You aren't going to go and fix it for free, are you?

      I don't know what kind of regulation could facilitate good business and secure products. The more secure you make something, usually the more it will cost the client (even with security-first orientated programming).

    5. Re:It's not time, it's money... by v1 · · Score: 4, Insightful

      well, it IS time. but time IS money. so, yeah, kinda.

      Pinheads that only how how to count beans and don't understand the problem are asking each other "Is it important? How much does it cost? What's the return on investment?"

      They don't see the risk or the cost of losing on the risk. They only see the cost of the fix, and that looks like a very poor ROI, and it gets shot down, or continuously delayed.

      --
      I work for the Department of Redundancy Department.
    6. Re:It's not time, it's money... by TFlan91 · · Score: 2

      You work for free?

      I have some bridges you might be interested in.

    7. Re:It's not time, it's money... by sheetsda · · Score: 2

      This.

      And this is limited isn't limited to contracting situations (where you typically hear the word "client"). I have seen this in companies that sell products on the open market, to whole industries. The company takes the approach that development schedules are dictated by what features customers say they want. Since the customer doesn't know the security problem exists they can't say "I want this fixed". It is therefore not a priority.

    8. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      That's also been my point for quite some time. Almost all the time, the last thing on the client's list of requirements is security. Especially if the client is a consumer...

      Hence the need to legislate harshly...

    9. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      Well isn't that the problem: if your company invests in better security measures, charges more and nothing ever happens, then you lose to your competitor that ignored security completely. It's a dice roll, but the big investors can hedge by investing in multiple dice rolls. Most likely by the time the big security breach happens, the only companies left are the ones who didn't invest in security (their competitors either left the space or stopped investing in security to try to compete with the lower prices). Brand damage hardly matters at that point, either, because you have such a lead on any new entrants, that your evils will be well forgotten by the time anyone can attempt to compete with you.

    10. Re:It's not time, it's money... by cyberchondriac · · Score: 3, Funny

      No, but I have some damn fine hearing..!

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    11. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      Client always pays anyway. A regulation just makes sure the client is charged for the otherwise optional or extra work now required, just like in the building industry where the client has to pay for inspections, plans, taxes, registration payments, copies, consulting and so on. Whether that is applicable to most software is another question.

    12. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      I second this, every couple weeks I try to underline the fact that our bug graph is going up and we need more people (three man team) yet still find the planning filled to the rim with new features to develop. Occasionally some high-profile customer brings down the hammer on our CEO regarding all the problems that still exist, that seems to help for a couple days.

    13. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      I hate to think of how many times I've had a conversation something like this:

      Manager: Give me a gantt chart of the tasks to get this project done in three months
      Me: The tasks to get it done will take six months
      Manager: No, it's easy. Divide the number of tasks into three months and give each task that much time
      Me: [facepalm]

    14. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      Not only that, often the "bean counter" also looks at the risk side with a flawed preconception: We haven't been compromised for this long, not fixing X isn't any more risk, it's the same amount of risk as we had before the fix was available...

      Risk factors are compound with time, and quantity. Not just individually. THIS seems to be the thing most people don't "get".

      I've actually heard the following:

      Nah, let's not make these changes, it's costly. We haven't lost our entire business to other security threats in the past 5 years, ignoring this one isn't going to make it any riskier.

    15. Re:It's not time, it's money... by Sumus+Semper+Una · · Score: 4, Interesting

      Honest question though: What IS the cost? Equifax suffered a breach of pretty much the most sensitive possible data you can have leaked, and if this article is correct, the total cost is approaching about $500 million. Had there been no data breach or had the data breach never been made public or had there been no political will to prosecute the company then the cost would have been practically nothing.

      Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? What if the ticket is tens of thousands of dollars? What if it's hundreds of thousands of dollars? Is there a point where you will simply refuse to buy the ticket and accept the risk?

      I'm not saying these companies are making the right choice. I'm saying that from a purely practical standpoint I understand why someone might make the choice not to invest heavily into fixing security bugs. It's not the same choice I would make, but I seem to be more risk-averse than the average person judging by the choices I have seen people around me make. Still, if you don't understand why someone would make a decision, how do you ever expect to convince them to make a different decision?

    16. Re:It's not time, it's money... by cwsumner · · Score: 1

      ... Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? ...

      What if the "tickets" had a small but definate chance of being contaminated, and making you very sick? The patches to computer systems have been getting more and more dangerous to people's businesses, to the point where they must consider if the risk from the patch is more than the risk from the criminal intruders. This is the real reason people are waiting, to see what happens to the first to try. All else is excuses to stop you from pestering them.

    17. Re:It's not time, it's money... by Monkey-Wrench-Inc · · Score: 1

      I hate to think of how many times I've had a conversation something like this:

      Manager: Give me a gantt chart of the tasks to get this project done in three months Me: The tasks to get it done will take six months Manager: No, it's easy. Divide the number of tasks into three months and give each task that much time Me: [facepalm]

      No lies detected.

    18. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      > It's that the powers that be only want to spend time on something if a client pays for it.

      Huh, this is sarcasm, right?

      But.. I see all you guys high-fiving each other.. I.. wtf.. what.. ?

      Directing resources to create revenue? Blasphemy, I tell you! BLASPHEMY!

    19. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      No, but if the house is a rental, the landlord is legally required to pay to fix it. This is similar to GDPR requiring companies to protect customer's data from privacy/security breaches. Requirements tend to be weaker on issues that cause trouble only for the owner as opposed to for others, although insurance should cover that case (and transparency/reporting laws for when we really mean the data owned by a publicly owned company, so the concept of ownership is a bit more complicated).

    20. Re:It's not time, it's money... by Tablizer · · Score: 1

      If the PHB's do give it any thought, they may conclude a 15% chance of getting hacked into bankruptcy is worth the risk of growing now by shaving off security measures. If the company croaks, they blame it on the techies (they don't put corner-cutting orders in writing), and move on to a different gig. Rinse, repeat.

      --
      Table-ized A.I.
    21. Re: It's not time, it's money... by jd · · Score: 2

      Oh, that's easy.

      1. All commercial software must be classed as fit for purpose within specified design parameters.

      2. All commercial software must have a warranty of 5 years where all defects will be fixed at vendor's expense.

      3. Vendors of software that violates CERT's secure coding rules, implements back doors or uses encryption algorithms broken at time of release shall be liable for losses due to security flaws.

      4. Vendors of mission-critical software must, on demand, provide proof of formal methods, extreme programming or tandem programming, and must be able to show ISO 900x compliance where relevant.

      5. Vendors who cannot provide a court with design documents and specifications, and proof the software complies with them, shall be deemed automatically at fault in any lawsuit.

      6. It shall be a crime punushable by 10 years to provide any mission critical device with unsecured or unauthenticated network access, whether anyone is injured or not.

      That should take care of everything.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    22. Re: It's not time, it's money... by Anonymous Coward · · Score: 0

      But..but that would mean that all commercial software was designed and written by actual software engineers! To draw even more parallels to the building industry here, the engineers would have to demonstrate the required education level comparable to the complexity of the system and the amount of experience with similar systems before accepted to sign the designs. Failure to do so leads to automatic liability, and if the design or code would have to be audited by an independent party, a failure to pass the audit would be the result.

    23. Re:It's not time, it's money... by Kjella · · Score: 1

      The real issue with the reverse lottery is not whether the company would stomach the risk. It's that to the individual manager the risk is very low, while the worst consequence is that he's fired. It's the same reason many managers like to kick the can down the road, it's not because it's good for the business but his performance looks good one more quarter. They're seeing most the upside when it goes well and very little of the downside when things go catastrophically bad.

      --
      Live today, because you never know what tomorrow brings
    24. Re: It's not time, it's money... by Anonymous Coward · · Score: 0

      If by "take care of everything", you mean that we now have a bunch of hardware that does not have any software running on it, then yes that will certainly take care of things. ...or maybe you mean that we should go back to the days when a simple word processor cost about $500.00 to buy.

    25. Re:It's not time, it's money... by Darinbob · · Score: 1

      It's true, the security must be treated as a feature, and the customer must be told that security is a feature that they want (sometimes it seems this isn't true). However the fault often lies in sales and marketing, where a deadline for product delivery is set before product design and development even begins. Security often gets short-shrift at the end when a project is running late. That's why your security subject matter expert must always be a bastard willing to shout in meetings. The security team should not be trying to win a popularity contest. And if you don't have a security team, then you need to get one.

      Also, don't let your company be run by a bunch of people who think they know it all but have no real world experience. They're the one's most likely to want to shift stuff fast and get their bonus/options and cash out before it comes crashing down.

    26. Re: It's not time, it's money... by Anonymous Coward · · Score: 0

      If by "take care of everything", you mean that we now have a bunch of hardware that does not have any software running on it, then yes that will certainly take care of things.

      Pretty much.

      There are software around that is compliant, but those are in medical equipment and industrial robot control systems.
      The software controlling the ABS in your car is probably compliant too.

      or maybe you mean that we should go back to the days when a simple word processor cost about $500.00 to buy.

      When dealing with safety critical systems you usually spend some time isolating what components are critical and what components aren't. That way you only have to be sure about a small subset of the system.
      OK, operating systems doesn't have a lot of support for protecting parts of a program from the rest of it, but if you can runt the critical parts as a separate process you might be able to get some protection that way.
      If your software doesn't access internet that closes a bunch of possible security holes.
      Remove the automatic update function from your word processor and that neat function that runs auto-correction through an online service and suddenly your software doesn't have anything that you need to secure.

      Writing secure software isn't really that hard, but you need to do it from the beginning and you need to keep it in mind when making changes.

    27. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      Ever wonder why marketing/sales sets the deadlines?

      After some experience on that issue I will tell you why: no shit ever gets done.

      Repeat after me: leaving the devs in charge of the schedule == nothing changes, ever. Because, reasons.

    28. Re:It's not time, it's money... by thegarbz · · Score: 1

      What IS the cost?

      You can't consider the cost in isolation. You can only consider the risk. If you only consider cost then nothing would ever advance as you don't take into account the likelihood of the high-cost event hitting you.

      Risk is fundamentally the likelihood of something happening and the consequence of it happening. I could die from getting hit by an asteroid. It's unlikely so I live with the risk rather than building an asteroid proof hat.

    29. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      The odds for this lottery are quite appalling:

      More than half (55 percent) of the nearly 600 small- and medium-sized businesses surveyed by the Ponemon Institute reported being hit by a cyber attack in the past year, and 50 percent said they experienced a data breach involving customer and employee information over the same time period. It cost these companies an average of $879,582 in damage to or theft of IT assets and an average of $955,429 due to the disruption of operations, according to Ponemon’s “State of Cybersecurity in Small and Medium-Sized Business,” which was released in June 2016.

      To invest 800K$ on average every year seems a good economical plan.

    30. Re:It's not time, it's money... by v1 · · Score: 1

      Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars.

      That already exists, and it's called "medical insurance" ;)

      --
      I work for the Department of Redundancy Department.
    31. Re: It's not time, it's money... by Anonymous Coward · · Score: 0

      Define Commercial Software. Most places I've worked don't use off the shelf software as the main product base, mostly what is used are open source libraries or servers (Apache, Ngnix, etc) mixed with customer software written in house or by contractors. Continuous build process could be setup to always use the latest version of a 3rd party library so as to stay current, but I've had applications in my space that were 2+ years old that weren't being rebuilt because they did exactly what they were supposed to do and no one was asking for enhancements.

    32. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      Regulation is ignored unless enforced. Most company just hope they will fly under the radar. There are 'audits' but so far I have never seen an auditor do what he is supposed to do (find potential issues) vs do what he is paid for (give a certificate of health to their customer).

    33. Re: It's not time, it's money... by david_thornley · · Score: 1

      Writing secure software isn't really that hard, but you need to do it from the beginning and you need to keep it in mind when making changes.

      Which should mean that there is complicated software out there without security flaws, and I don't believe that.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    34. Re:It's not time, it's money... by Anonymous Coward · · Score: 0

      Equifax has faced nearly no consequences. It's stock price is unaffected. $500 million sounds like a lot to use peons. Equifax is one of the worlds largest companies. It's stock took a -0.09% downturn. This is practically nothing.
      The people who lost out on the Equifax breach aren't it's customers. It's customers were unaffected and disinterested in the fact that the cows they milk for data were exposed to risk.
      Since the government didn't penalize them, their customers don't care, and even the stock market is not interested where are the consequences?
      Where is the ROI in fixing security breeches that have no consequences?

  2. patch vulnerabilities as soon as they are known by Anonymous Coward · · Score: 1

    Yea, no shit. You don't just apply a vendor supplied patch to prod and hope it doesn't break anything.

    1. Re:patch vulnerabilities as soon as they are known by supremebob · · Score: 2

      Yeah, that didn't exactly work out well for the early adopters of the Spectre and Meltdown fixes. Not only were they initially buggy as well, but they didn't even fix all of the security flaws.

      Like it or not, it's usually best to wait a day or two for someone else to be the guinea pig for security patches before putting them into Production, unless the issue is actively being exploited by a virus or a worm.

    2. Re:patch vulnerabilities as soon as they are known by thegreatbob · · Score: 1

      Better still, some (*cough* MS patches going to Win7 and 2K8) introduced additional flaws...

      --
      There is no XUL, only WebExtensions...
  3. Then 26% should be sued by Rick+Schumann · · Score: 3

    Fix your shit or be run out of business. I think I speak for the majority when I say we're all sick and bloody well tired of having every gods-be-damned thing on the planet hacked by whoever because the firmware/software is written poorly.

    1. Re:Then 26% should be sued by Anonymous Coward · · Score: 3, Insightful

      Were it only so simple, but a few things tend to push security down the priority list.

      1) Lack of perceived value. If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours do to the same thing but with poorer security practices, then most clients and consumers will choose company B (assuming no other factors at play) because of the reduced cost and the fact that good secure implementations are not easy to ascertain at a glance.

      2) Lack of perceived consequences for poor security. Equifax has had one of the biggest breaches personal information for the US. It's stock price hasn't recovered back to it's previous highs, but it's slowly and steadily coming back up (and to be fair, it was overvalued in the first place). To most people that just means that the cost of having a big breach isn't that big a deal.

      3) The traditional fight between connivance and security. Convenient things make good first impressions, good first impressions tend to make sales.

      There's some other factors but I think those three points tend to broadly cover most of the reasons why security isn't prioritized. I wish it wasn't so but that's the reality that we have to deal with.

    2. Re:Then 26% should be sued by Anonymous Coward · · Score: 0

      People that are this vocal about getting hacked are usually the most ignorant about it. Security is hard. Doing security well is harder. The most dangerous place to be in is to know enough about it to think that you know what you're doing. If you're not an elite member of the field, then you're probably just making things worse.

    3. Re: Then 26% should be sued by Anonymous Coward · · Score: 0

      Your premise doesn't even match the article. These people are actively ignoring security problems. They could be easy or hard to patch, it doesn't matter if you ignore them.

    4. Re:Then 26% should be sued by Anonymous Coward · · Score: 0

      99 little bugs in the code, 99 little bugs.
      Take one down and patch it around
      127 little bugs in the code

    5. Re: Then 26% should be sued by Anonymous Coward · · Score: 0

      Good luck with that. The true statistic is 100% of companies.

    6. Re: Then 26% should be sued by Anonymous Coward · · Score: 0

      >Ctrl + f

      >100%

      Beat me to it.

    7. Re:Then 26% should be sued by Anonymous Coward · · Score: 0

      You clearly don't speak for us all. Security is important, but it has a cost factor and that cost matters. The entire point of a business is to make money. Sometimes being less then perfect on security will still make you plenty of money.

      Besides, we love to rant on Equifax on security, but how many other companies have sold the same data that someone stole from them? You think your personal info is safe? Grow up. It's been sold many times over if you've given it to anyone. The thieves probably sold the same data to even more companies, but at a cheaper price then the people that collected the data.

      That's one reason you should just breath and realize what you are securing. Money is usually insured and life and death isn't even a factor. Most businesses don't have enough of your data to even matter.

      Security is important, but it sure as hell isn't #1 or even #3 on the list. It's not THAT important.

    8. Re:Then 26% should be sued by Rick+Schumann · · Score: 1

      How hard is it to not leave a hard-coded Administrator password in something as a backdoor? Also if you're so goddamned smart then why are you posting as an AC? Is it because you're actually an idiot who should have kept his mouth shut?

    9. Re:Then 26% should be sued by holophrastic · · Score: 1

      It's not my shit to fix. I didn't create it. I bought a [software] tool, I paid for it, I've been using it for some time.

      It was always broken, but it took this much time for someone to notice the bug. Now there's a fix.

      I don't have time to stop manufacturing white tube socks in order to upgrade the e-mail client that I purchased years ago.

      So sorry.

      You have three options.

      The first is the current plan -- I get to it when I get to it, and you don't complain.

      The second is that you have the creator of the software pay to upgrade me -- that means paying for my downtime and retraining too.

      The third is that you do what you do in every other industry -- you start prosecuting the criminals. It's not illegal to get burglarized. It's criminal to burgle.

      So, let me ask you this: do you live in a house? Is there a lock on your front door? Well, hackers have defeated that lock, so you need to upgrade to a dead-bolt. Do you have a dead-bolt? Well, hackers can break windows too. You need to upgrade to bars on your windows.

      Do you drive a car? At high speeds? On roads with on-coming traffic? Separated by nothing but a yellow stripe of paint? I guess you need to upgrade to a tank.

      I'm not responsible for criminals breaking down my door with more equipment than I can afford to resist. So sorry. My entire car can be lifted up and carried away by six teenage boys. It doesn't matter how good my locks are. Half of my car is canvas, so a knife is sufficient.

      So, like everything else in my life, I'll upgrade my systems when a) I buy new systems or b) after I get attacked. Welcome to life.

      Meanwhile, we've solved this problem long ago: it's called law enforcement. You can't stop me from walking up to someone in public and killing them with a baseball bat.

      So start prosecuting criminals.

    10. Re:Then 26% should be sued by vtcodger · · Score: 1

      If your solution is writing quality software, that's a non-starter. It might be possible to write really good software. But it'd be text based. No fonts. No images. Very few capabilities. Few or no configuration options. And it'd cost.

      Trust me, the world is not yet ready for a life without cat videos. Maybe after another decade of pain, that'll look like an OK idea. But for the time being we're going to continue to hold things together with duct tape and charge forth into a glorious (if wildly insecure) future while blaming other people for the problems we are creating.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    11. Re: Then 26% should be sued by jd · · Score: 2

      If you bought a car and the car is then recalled due to a propensity for the brakes to fail, you don't get to claim in court that the pedestrian you ran into was just unlucky but that it wasn't your shit to fix.

      That excuse doesn't fly. If the product is dangerously defective and you know that it is, you are liable.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    12. Re: Then 26% should be sued by jd · · Score: 1

      In part, software vendors renting rather than selling products are responsible, along with a refusal to offer a warranty.

      I'd suggest placing stiff penalties on failing to follow established practices, and jail sentences for failing to fix in a timely manner or responsibly upgrade in a timely manner.

      Making it a criminal offence with a ten year fixed tarrif should liven things up.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    13. Re:Then 26% should be sued by FormOfActionBanana · · Score: 1

      Should we give you a secure coding quiz?

      --
      Take off every 'sig' !!
    14. Re: Then 26% should be sued by holophrastic · · Score: 1

      I won't allow you to equate the privacy of names and phone numbers with instant death.

    15. Re: Then 26% should be sued by jd · · Score: 1

      From a software standpoint, a failure to validate inputs and a failure to validate code against a specification is independent of what the code does.

      In ISO 9000 training, we were taught that we should consider anything that could cost $1m or more if things went wrong to be equivalent to killing someone. But, hey, what does NASA know about failure not being an option?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    16. Re:Then 26% should be sued by Anne+Thwacks · · Score: 1
      If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours do to the same thing but with poorer security practices, then most clients and consumers will choose company B

      Most non-technical people do not have even the most basic grasp of the issues, and cannot be expected to. They assume that software is required to be "goods of merchandisable quality" like anything else, and believe bugs crawl into software the same way cockroaches get in the kitchen. They simply don't understand that most software is designed and written by people who work in an environment where "doing the right thing" could be a sackable offence (despite the fact that this also appears to be the case in a lot of dead-end jobs like working for Amazon).

      This includes most CXOs judges and juries.

      Massive legal penalties are required. Urgently. In particular, MS executives should be sent to Parchment Farm in droves.

      And, "a jury of your peers" should mean that the jury should have sufficient understanding of the issues as to be in a position to grasp the concepts involved in the charges (a problem with most white collar crime). However, we don't want to expose ourselves to a situation where the police police themselves - we know where that ends up (blood on dance floor).

      --
      Sent from my ASR33 using ASCII
    17. Re:Then 26% should be sued by Anonymous Coward · · Score: 0

      >If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours

      Computer security is a strange beast where developing with proper security is quite often (most of the time for software development) cheaper than the contrary. If your software is rigged with security bugs, It is most probably rigged with plain old bugs and this is the sign of spaghetti coding practices. What is the cost of a big technical debt? Most of the time far higher than proper coding.

    18. Re: Then 26% should be sued by Salgak1 · · Score: 1

      Good old little Bobby Tables. . .

  4. Like Windows XP in China. by xack · · Score: 1

    No support from Microsoft for over four years but still over 10% market share for the security hole OS It will get even worse when Firefox drops support.. It gets to the point where it's easier to reformat every few months than to keep updating. Most viruses probably get great firewalled anyway.

    1. Re:Like Windows XP in China. by Anonymous Coward · · Score: 0

      Nothing gets worse once it's Firefox free

  5. So Windows 10 has got to affect this too by Anonymous Coward · · Score: 0

    You have to figure Windows 10 and its nightmare of patches and re patches has to make this worse. Not only dealing with security but also the fixes can create their own issues. I think back to Equifax and a patch that was released months ago that never got installed in Equifax servers.

  6. Nobody should by Train0987 · · Score: 0

    Nobody with any experience installs a patch immediately when its released if they aren't forced to. It only takes one time borking your entire network/domain by being the unwitting beta tester to learn that lesson.

    1. Re:Nobody should by Anonymous Coward · · Score: 0

      This. We're only now getting to the point where we're applying Spectre/Meltdown patches. Granted, we're behind some heavy hardware firewalls, etc and we're not sharing our on-site boxes with other companies so the risk was low- but with the potential issues of performance loss, bugs, etc. it definitely makes sense to wait and test it out in a sandbox/dev environment if you can.

    2. Re:Nobody should by jbmartin6 · · Score: 1
      This article is just as good as those "studies" which revealed people would tell their password for a scoop of ice cream. Without any context the information is meaningless. Was it even really the password? Which password, their bank account or some useless website login? Here's a breathtakingly ignorant statement from the article:

      even if they were to hire penetration testing services they were sure the pen-testers wouldn’t expose any new risks or flaws. The sheer ignorance of such statement somewhat explains why some respondents admitted to not having time to apply security patches

      We hired a pentester and they didn't expose any flaws, we already knew about all of them. Phishing email, macro or exploit to powershell to downloaded binary to credential theft via LLMNR/NBNS to pass the hash to admin account, and so on. If you are hiring a pentester solely to expose new flaws, you are doing it wrong. Much like the author of this article.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  7. As soon as they're known? by Anonymous Coward · · Score: 0

    What does "as soon as [the vulnerabilities] are known" mean? Does it mean when DSA or USN is issued, which can be months after the CVEs are assigned and public? Or does it actually mean as soon as the vulns are made public?

    That's one of reasons why I prefer Gentoo in production. The ability to bump port version, build and push to testing extremely easily, not needing to backport any patches across versions and in the process break stuff and introduce regressions, as Ubuntu and Debian often demonstrate.

  8. In related news by rsilvergun · · Score: 5, Informative

    74% of companies lie on surveys.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:In related news by Anonymous Coward · · Score: 0

      Well ya.. I would say it is more like 70% but that 70% includes major financial institutions.

    2. Re:In related news by 140Mandak262Jamuna · · Score: 1

      92.3% of the statistics are made up on the spot.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    3. Re:In related news by Anonymous Coward · · Score: 0

      Yeah, I was just thinking - what's the excuse for the other 74%?

  9. "Put a dot on the map, we'll come back to that." by Anonymous Coward · · Score: 0

    "Put a dot on the map, we'll come back to that."

    Which is said just to dismiss the issue demanding attention.

  10. depth of defense by Spazmania · · Score: 1

    Correct security is about depth of defense. If you -have- to patch immediately every time then you've already failed.

    Take your time. Do it right. If you understand your security posture and have designed it well, patching once or twice a year may well be sufficient.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:depth of defense by Anonymous Coward · · Score: 0

      Hopefully no one is buying this crap.

  11. no consequences by Anonymous Coward · · Score: 3, Insightful

    it's because of the lack of consequences, not because of time.... they would take the time to fix the issues if there would be appropriate consequences if they don't

  12. The only thing that really matters... by Anonymous Coward · · Score: 0

    The only thing that really matters is to have someone to throw under the bus when the shit hits the fan. Everything else is irrelevant.

  13. security isn't a concern by Anonymous Coward · · Score: 0

    Truth is security isn't a concern, I would bet most companies make new products that are vulnerable to a number of disclosed CVE's

    Time and schedule for new features, people assume it's secure until proven otherwise

  14. Purely from academic interest ... by Hognoxious · · Score: 1

    Purely from academic interest and in the cause of like research and al that, which 26%?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  15. They are lying. by JimSadler · · Score: 1

    If you have a labor vs. time issue you hire more people with the abilities needed to do the job. That means it is really a money problem or a cheap problem. Where you run into this is when you are a consumer. you have an issue. You make a phone call. You run into fruitless robotic replies that do not address your issue at all and every time they steer you to another robotic responder you end up at another dead end. The penny pinchers have gained control. It is one heck of a lot cheaper to jerk people around with poorly functioning answering machine programs. And it gets a lot worse. The next treat is that when you finally find a way to connect with a human they are usually so under trained or adequate for their jobs that the answers you get are way off base and make things even worse than they were before. I have found the way to get around those voice robots and that is to call the sales department. No business is dumb enough to insult potential buys with no human answering the phone. The sales department will usually transfer you to an employee who supposedly is familiar with the issue. If you want practice at this madness simply become a Comcast customer. You can have a real thrill as they can't figure out that you were double billed for over four months. Rarely can the people who answer the phones that you are lucky to reach, actually know what they are doing. And more of a howler the typical employee thinks they are super good at their job.

    1. Re:They are lying. by david_thornley · · Score: 1

      If you have a labor vs. time issue you hire more people with the abilities needed to do the job.

      Ah, another person who hasn't yet read Brooks' "Mythical Man-Month". There's a chapter examining exactly what happens when you hire more qualified people because you're not going to make the deadline.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  16. Front and back by Anonymous Coward · · Score: 0

    Many companies I've worked with are still focused on edge security and front end patching, making an invalid assumption that their greatest security risks are the bad guys trying to break in from the internet. The reality is that disgruntled employees and on-site 'visitors' present far greater risks to the security of the back end, where all that juicy sensitive data is stored but usually with a lot less protection. I only have moderate technical skills and every client I've EVER worked with could have been completely owned with fairly limited effort if I was ever asked to.

  17. Blue Screens by shayd2 · · Score: 1
    Given the history of "patches" bricking machines. You don't want to be on the bleeding edge of patching.

    Most organizations don't have resources to hold a fall back copy of their production server(s)

    1. Re:Blue Screens by viperidaenz · · Score: 1

      Most (read: all) organisations I've worked for have two sets of production servers. Prod and DR.
      Software updates and patches only happen to one at a time, until it has been proven good. If there's a failure, there's almost no down-time as the server roles are switched.

    2. Re: Blue Screens by Anonymous Coward · · Score: 0

      Also they should (but rarely do) have more production-like development and test environments that were patched first, following a steady 'promotion' process but almost always they scrimp on them and end up with up to 18 month delays between critical patches being tested and going live.

    3. Re:Blue Screens by Anonymous Coward · · Score: 0

      Hmmm....I work for the largest employer in the USA and that is not how it is everywhere. Failure is common.

  18. And my kids... by Anonymous Coward · · Score: 0

    don't have time to do their homework.

  19. Because that worked so well by rsilvergun · · Score: 1

    for Microsoft. And if you want hardened firmware for the tablet you give your kid to watch youtube be my guest. It'll be $1500. Me? I'll stick to my $60 el-cheapo. I don't always need perfect security.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  20. Or.. by MpVpRb · · Score: 1

    ..don't have the technical competence

    Security is hard

  21. Security only becomes a critical issue by nehumanuscrede · · Score: 1

    when your Corporate name is being dragged through the mud, the Litigation Monster makes an appearance, your share-holders are getting out the torches and pitch forks and management is frantically looking through the list to see which Junior Developer they can pin the blame on for the ' bug ' in the code.

    THAT is the only time companies take security seriously because, let's be honest, there are otherwise no consequences for being the Corporate equivalent of an incompetent fuck up. A slap on the wrist, a mediocre fine, maybe a name change and it's back to business as usual.

    Once upon a time, a brand name MEANT something. $brand could command a higher price tag because $brand was synonymous with a quality product.

    Those days are long gone.

    Thus the era of Incompetence has arrived. Where some decent Q/A or even realistic Beta Testing may have caught your problem long before it became that giant Iceberg you're sailing into.

    But no ones cares. We have enough life boats.

    Full speed ahead ! :|

  22. . . . or they spent the money on something else. . by Salgak1 · · Score: 1

    . . . I run a Secure Code Analysis team. I am **CONSTANTLY** bombarded with "well, this is legacy code, there's no budget left for security. . . ."

    Dude. One of the requirements in the contract was to comply with the appropriate regulations and best practices. Which, despite my team bugging you for literally YEARS, and pointing out where the contract specifically requires code reviews. . . .I get told "when did this requirement come in" and "we don't have the money for that." But apparently they had the money for three extra Vice Presidents and their staffs. . . /boggle

  23. Risk Management. . . by Salgak1 · · Score: 1

    . . . anyone who has studied for a CISSP or SANS GIAC Cert knows about risk management.

    1. How likely is the bug to be exploited (x times a year)
    2. How much damage will the bug cost ? (y dollars per attack")

    . . . and THEN: how much will it cost to fix the bug. ( call it "z": recoding, testing, review. distribution of fix)

    Then you do the math: If z is less than x times y, it makes sense to fix the bug. If z is more than x times y, and especially much more, you accept the risk. And you revisit the question periodically, as security is a ongoing process, not a single pass-it-and go state.