JÃ¼rgen FÃ¤lchle - stock.adobe.c
More than one-third of organisations (34%) admit to bypassing security to get products out to market more quickly, a survey has revealed.
This is despite the fact that unpatched vulnerabilities accounted for 27% of breaches is 2018, according to Verizon’s Data Breach Investigations Report (DBIR).
The survey, of 300 information security professionals at the Infosecurity Europe conference in London by security firm Outpost24, also revealed that 64% of respondents believe their customers could easily be breached as a result of unpatched vulnerabilities in their organisation’s products and applications.
Also, 29% of respondents were not sure, or didn’t believe that their organisation’s products and applications would fare well if a security penetration test was carried out on them.
“Our study shows that despite continuous warnings, organisations are still leaving their customers at risk because of a failure to address security vulnerabilities in products before they are introduced to market,” said Bob Egner, vice-president at Outpost24.
“If organisations are not addressing these security vulnerabilities, they are taking a huge gamble and abusing customer trust.”
Negligence towards security will eventually lead to “disastrous outcomes” for technology and application suppliers and their customers, said Egner.
“There should be no excuses today, especially when security is such a big issue and so many breaches, which have happened up and down the technology stack, are well publicised,” he added.
The survey also revealed that although 92% of security professionals said their organisation believes it is important to carry out security testing on new products and applications, nearly two-fifths of organisations do not introduce security testing from the beginning of the product or application lifecycle.
Read more about vulnerability patching
- When building a business case for software patch management, focus on its ability to protect against malware, ransomware, phishing and other security threats, thereby reducing the risk of downtime.
- DHS issued the latest security advisory for BlueKeep, but it is unclear whether the repeated warnings are being heeded by organisations that have vulnerable systems on the internet.
- A new DHS directive placed new deadlines on patching critical vulnerabilities for federal agencies and experts are divided on whether the timelines are reasonable and realistic.
“While many organisations seem to understand the importance of security testing, they are not necessarily putting it into practice,” said Egner.
“A combination of penetration testing and automated application scanning is a great way to unearth software vulnerabilities in products and applications, and organisations are advised to carry out the process continuously or at least before they put a product out to market.
“The aim is not to address every single vulnerability detected, but to understand which are the most dangerous to the business and its customers and then work to remediate them first.”