Slashdot Mirror

← Back to Stories (view on slashdot.org)

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com)

Posted by msmash on from the different-priorities dept.

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.

14 of 90 comments (clear)

  1. It's not time, it's money... by TFlan91 · · Score: 4, Insightful

    It's not that I don't have enough time, I do.

    It's that the powers at be only want to spend time on something if a client pays for it.

    1. Re:It's not time, it's money... by TFlan91 · · Score: 2

      If you're a plumber and you hear the house two doors down, whose pipes you installed 4 years ago during the construction of the house, has a leak. You aren't going to go and fix it for free, are you?

      I don't know what kind of regulation could facilitate good business and secure products. The more secure you make something, usually the more it will cost the client (even with security-first orientated programming).

    2. Re:It's not time, it's money... by v1 · · Score: 4, Insightful

      well, it IS time. but time IS money. so, yeah, kinda.

      Pinheads that only how how to count beans and don't understand the problem are asking each other "Is it important? How much does it cost? What's the return on investment?"

      They don't see the risk or the cost of losing on the risk. They only see the cost of the fix, and that looks like a very poor ROI, and it gets shot down, or continuously delayed.

      --
      I work for the Department of Redundancy Department.
    3. Re:It's not time, it's money... by TFlan91 · · Score: 2

      You work for free?

      I have some bridges you might be interested in.

    4. Re:It's not time, it's money... by sheetsda · · Score: 2

      This.

      And this is limited isn't limited to contracting situations (where you typically hear the word "client"). I have seen this in companies that sell products on the open market, to whole industries. The company takes the approach that development schedules are dictated by what features customers say they want. Since the customer doesn't know the security problem exists they can't say "I want this fixed". It is therefore not a priority.

    5. Re:It's not time, it's money... by cyberchondriac · · Score: 3, Funny

      No, but I have some damn fine hearing..!

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    6. Re:It's not time, it's money... by Sumus+Semper+Una · · Score: 4, Interesting

      Honest question though: What IS the cost? Equifax suffered a breach of pretty much the most sensitive possible data you can have leaked, and if this article is correct, the total cost is approaching about $500 million. Had there been no data breach or had the data breach never been made public or had there been no political will to prosecute the company then the cost would have been practically nothing.

      Imagine a sort of reverse lottery. If you don't buy a ticket, there is a small chance (and nobody can tell you the exact likelihood) that your reputation will be publicly tarnished and you will be fined millions of dollars. If you buy a ticket, your chance drops drastically (but is never really zero). But the ticket costs thousands of dollars. Would you buy the ticket? What if the ticket is tens of thousands of dollars? What if it's hundreds of thousands of dollars? Is there a point where you will simply refuse to buy the ticket and accept the risk?

      I'm not saying these companies are making the right choice. I'm saying that from a purely practical standpoint I understand why someone might make the choice not to invest heavily into fixing security bugs. It's not the same choice I would make, but I seem to be more risk-averse than the average person judging by the choices I have seen people around me make. Still, if you don't understand why someone would make a decision, how do you ever expect to convince them to make a different decision?

    7. Re: It's not time, it's money... by jd · · Score: 2

      Oh, that's easy.

      1. All commercial software must be classed as fit for purpose within specified design parameters.

      2. All commercial software must have a warranty of 5 years where all defects will be fixed at vendor's expense.

      3. Vendors of software that violates CERT's secure coding rules, implements back doors or uses encryption algorithms broken at time of release shall be liable for losses due to security flaws.

      4. Vendors of mission-critical software must, on demand, provide proof of formal methods, extreme programming or tandem programming, and must be able to show ISO 900x compliance where relevant.

      5. Vendors who cannot provide a court with design documents and specifications, and proof the software complies with them, shall be deemed automatically at fault in any lawsuit.

      6. It shall be a crime punushable by 10 years to provide any mission critical device with unsecured or unauthenticated network access, whether anyone is injured or not.

      That should take care of everything.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Then 26% should be sued by Rick+Schumann · · Score: 3

    Fix your shit or be run out of business. I think I speak for the majority when I say we're all sick and bloody well tired of having every gods-be-damned thing on the planet hacked by whoever because the firmware/software is written poorly.

    1. Re:Then 26% should be sued by Anonymous Coward · · Score: 3, Insightful

      Were it only so simple, but a few things tend to push security down the priority list.

      1) Lack of perceived value. If it takes company A 100 man hours to implement a product with proper security, and company B 80 man hours do to the same thing but with poorer security practices, then most clients and consumers will choose company B (assuming no other factors at play) because of the reduced cost and the fact that good secure implementations are not easy to ascertain at a glance.

      2) Lack of perceived consequences for poor security. Equifax has had one of the biggest breaches personal information for the US. It's stock price hasn't recovered back to it's previous highs, but it's slowly and steadily coming back up (and to be fair, it was overvalued in the first place). To most people that just means that the cost of having a big breach isn't that big a deal.

      3) The traditional fight between connivance and security. Convenient things make good first impressions, good first impressions tend to make sales.

      There's some other factors but I think those three points tend to broadly cover most of the reasons why security isn't prioritized. I wish it wasn't so but that's the reality that we have to deal with.

    2. Re: Then 26% should be sued by jd · · Score: 2

      If you bought a car and the car is then recalled due to a propensity for the brakes to fail, you don't get to claim in court that the pedestrian you ran into was just unlucky but that it wasn't your shit to fix.

      That excuse doesn't fly. If the product is dangerously defective and you know that it is, you are liable.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. In related news by rsilvergun · · Score: 5, Informative

    74% of companies lie on surveys.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  4. Re:patch vulnerabilities as soon as they are known by supremebob · · Score: 2

    Yeah, that didn't exactly work out well for the early adopters of the Spectre and Meltdown fixes. Not only were they initially buggy as well, but they didn't even fix all of the security flaws.

    Like it or not, it's usually best to wait a day or two for someone else to be the guinea pig for security patches before putting them into Production, unless the issue is actively being exploited by a virus or a worm.

  5. no consequences by Anonymous Coward · · Score: 3, Insightful

    it's because of the lack of consequences, not because of time.... they would take the time to fix the issues if there would be appropriate consequences if they don't